Decade  of  1 


Bill  Boni,  vice  president 
of  information  security  at 
T-Mobile 


’snext?  28 


;  jr 

/ 

Vtm 

*  m/P  fvt 

'IK- v 

hUK 

'  if 

.  »  V 

■  7  *  i 

%  V. 

Klter, 

Mm 

VT 

INTRODUCING  3  NEW  SECTIONS: 


rsi 

o 

fM 

k. 

0) 

E 

w 

+-> 

Q. 

QJ 

1/1 


TECH  Schneier:  Kiss  IT  Control  Goodbye  8 

RISK  7  Common  Risk  Management 
Mistakes  18 

LEAD  Mind  the  (Generation)  Gap  22 


Because  no  two  businesses  are  the  same. 

introducing  the  flexible  new  range  of  IBM  System  x  servers. 

No  two  companies  have  the  same  IT  requirements.  That’s  why  IBM®  has  a  new  range  of  System  x® 
servers,  built  to  handle  workloads  ranging  from  simple  tasks  to  complex  cloud-based  and  business 
applications.  Featuring  the  latest  Intel®  Xeon®  E5-2600  and  E5-2400  series  processors,  these 
servers  can  be  customized  so  that  you  can  select  features  you  need  today  and  add  more  as  your 
business  needs  change.  Additionally,  IBM  Business  Partners  can  help  you  find  the  server  that 
meets  your  needs  and  pair  it  with  the  right  IBM  storage,  networking  and  software  solutions  for  a 
truly  optimized  infrastructure. 

A  new  range  of  customizable  servers  to  support  your  unique  business  needs. 


© 


'J'll!!1 


IBM  System  x3650  M4  Express 


$3,179 

OR  $84/MONTH  FOR  36  MONTHS1 
PN:  7915-EBU 


Low  TOO  with  exceptional  performance  per  watt 


Flexible,  “pay-as-you-grow”  design  to  lower  cost  and  manage  risk 


Excellent  reliability  and  uptime  for  business-critical  applications  and  the  cloud 


IBM  System  Storage®  DS3500  Express 


$5,499 


OR  S135/MONTH  FOR  36  MONTHS1 
PN:  1746A2S 


6  Gbps  SAS  system  delivere  midrange  performance  and  scalability  at  entry-level  prices 
Up  to  192  drives:  high  performance  and  nearline  SAS,  SSD  and  SED  SAS  drives 


Folt  interface  options:  6  Gbps  SAS,  1  Gbps  &  10  Gbps  iSCSI/SAS  and  8  Gbps  FC/SAS 


IBM  System  x3530  M4  Express 

$1,899 


OR  $51/MONTH  FOR  36  MONTHS' 
PN:  7915-EBU 


2-socket  value  server  optimized  for  performance  and  value 


Dense  1U  design  for  many  general  business  workloads 


IBM  DNA  throughout,  including  RAS,  flexibility  and  easy  management 


See  for  Yourself 

The  new  IBM  System  x  Selection  Tool  can  help 
you  choose  the  right  server  and  save  money. 
Visit:  ibm.com/systems/flexibility 


phone  to  learn  more 


Contact  the  IBM  Concierge 
to  help  you  connect  to  the 
right  IBM  Business  Partner. 
1-866-872-3902 

(mention  102JE09A) 


Xeon‘ 


'IBM  Global  Financing  offerings  are  provided  through  IBM  Credit  LLC  in  the  United  States  and  other  IBM  subsidiaries  and  divisions  worldwide  to  qualified  commercial  and  government  customers. 
Monthly  payments  provided  are  for  planning  purposes  only  and  may  vary  based  on  your  credit  and  other  factors.  Lease  offer  provided  is  based  on  an  FMV  lease  of  36  monthly  payments:  please 
contact  your  IBM  Global  Financing  representative  for  actual  monthly  amounts.  Other  restrictions  may  apply.  Rates  and  offerings  are  subject  to  change,  extension  or  withdrawal  without  notice. 

IBM  hardware  products  are  manufactured  from  new  parts  or  new  and  serviceable  used  parts.  Regardless,  our  warranty  terms  apply.  For  a  copy  of  applicable  product  warranties,  visit 
http://www.ibm.com/servers/support/machine_warranties.  IBM  makes  no  representation  or  warranty  regarding  third-party  products  or  services.  IBM,  the  IBM  logo,  System  Storage  and  System  x 
are  registered  trademarks  of  International  Business  Machines  Corporation,  registered  in  many  jurisdictions  worldwide.  Other  product  and  service  names  might  be  trademarks  of  IBM  or  other 
companies.  For  a  current  list  of  IBM  trademarks,  see  www.ibm.com/legal/copytrade.shtml.  Intel,  the  Intel  logo,  Xeon  and  Xeon  Inside  are  trademarks  of  Intel  Corporation  in  the  United  States  and  other 
countries.  All  prices  and  savings  estimates  are  subject  to  change  without  notice,  may  vary  according  to  configuration,  are  based  upon  IBM's  estimated  retail  selling  prices  as  of  7/2/12  and  may  not  include 
storage,  hard  drive,  operating  system  or  other  features.  Reseller  prices  and  savings  to  end  users  may  vary.  Products  are  subject  to  availability.  This  document  was  developed  for  offerings  in  the  United 
States.  IBM  may  not  offer  the  products,  features  or  services  discussed  in  this  document  in  other  countries.  Contact  your  IBM  representative  or  IBM  Business  Partner  for  the  most  current  pricing  in 
your  geographic  area.  ©2012  IBM  Corporation. 


September  2012  Volume  11,  Number  7 


of  the  CSO  survey 
shows  progress 
toward  a  deeper 
level  of  business 
understanding  and  a 
wider  knowledge  of 
risk  management 

BY  JOAN  GOODCHILD 


■  Also  Inside 

2  Editor’s  Letter 
4  Publisher’s  Letter 
36  Last:  Gray  Matters 


tech 

8  Kiss  your  IT  control  goodbye 
10  Owning  bad  guys  with  Javascript  botnets 

12  Salted  Hash:  Welcome  to  RSA... 
er,  I  mean  Black  Hat 

13  Critical  vulnerabilities  in 
Huawei  routers  and  more 

13  Wisdom  Watch:  Black  Hat  and  Defcon  edition 

14  The  inside  scoop  on  Adobe’s  security  strategy 

14  Fashback:  Most  users  run  older, 
insecure  versions  of  Adobe  Reader 

16  Android  malware  relays  infected  devices’ 
location  information  to  a  remote  server 

risk 

18  7  risk  management  mistakes 

21  Drilling  for  disaster 

lead 

22  Mind  the  (generation)  gap 
24  Think  differently 

26  Fixing  things  by  breaking  rules 


September  2012  www.csoonline.com  1 


Many  Thanks 

The  focus  of  CSO  has  always  been  on  the  audience. 


Before  the  magazine  launched,  we  assem¬ 
bled  an  advisory  board  of  industry  luminaries 
and  asked  what  we  should  cover  and  how.  To 
Bob  Weaver,  Dan  Geer,  Dorothy  Denning  (and 
others)-thanks. 

After  we  published  our  first  issue  in  Septem¬ 
ber  2002, 1  started  emailing  readers,  a  dozen 
each  month,  asking  for  their  reactions  and 
input.  Their  responses  further  shaped  our  direc¬ 
tion.  To  Scott  Urbach,  Eliot  Irons,  John  Pontrelli, 
Steve  Akridge,  Andy  Reeder,  Chris  Hawley  (and 
others)-!  still  have  the  notes  from  our  conver¬ 
sations.  Thanks. 

Some  readers  didn't  wait  for  us  to  call.  They 
came  knocking.  A  fondly  remembered  visit  to 
our  offices  from  George  Campbell,  Lynn  Mattice 
and  David  Kent  helped  confirm,  sharpen  or 
totally  redirect  (depending  on  who  you  ask) 
our  thinking  about  corporate  and  physical  secu¬ 
rity,  fraud  prevention,  business  continuity  and 
much  more. 

“You  have  an  opportunity  to  do  this  right,” 
they  told  us,  meaning  that  we  could  and  should 
be  inclusive  of  many  risk-related  disciplines. 
Thanks  to  them  as  well. 

I’ve  worked  on  CSO  from  its  inception,  and 
with  this  issue  we  celebrate  10  years  of  publish¬ 
ing,  and  10  years’  growth  and  success  for  the 
security  profession.  The  Decade  of  the  CSO. 

Our  cover  story  (“Ready  for  Anything,” 

Page  30)  looks  at  some  of  the  specific  progress 
you’ve  made  in  becoming  central  to  the  ability 


of  your  organizations  to  fully  understand, 
and  begin  to  mitigate,  the  myriad  risks 
they  face. 

The  end  of  one  decade  is  the  beginning  of 
another.  As  we  move  forward-as  you  move 
forward— I  have  a  favor  to  ask.  If  you  are  a  long¬ 
time  reader,  please  take  two  minutes  to  send 
me  an  email  and  give  me  your  feedback. 

What  are  we  doing  right?  What  are  we  miss¬ 
ing?  How  do  you  like  our  new  magazine  design, 
particularly  our  new  sections  (Tech,  Risk,  and 
Lead)?  How  is  our  website  serving  your  needs? 
What  should  we  cover  more,  or  less?  What’s 
your  biggest  challenge? 

-Derek  Slater,  Editor  in  Chief, 
dslater@cxo.com 


CSO  (ISSN  1540-904X)  is  published  monthly  except  loi  a  combined  issue  in  July/August  and  December/January  by  CXO  Media  Inc.,  492  Old  Connecticut  Path.  P.0.  Box 
9208,  Fiamingham.  MA  01701-9208.  Periodical  Postage  Rate  at  Framingham.  MA  01701,  and  at  additional  mailing  offices.  Canadian  Publications  Mail  agreement  number 
1902075.  Canadian  Postmaster:  Please  return  undeliverable  copy  to  P.0.  Box  1632,  Windsor.  ON  N9A  7C9.  Copyright  2011  by  CXO  Media  Inc.  All  rights  reserved.  Reproduction 
of  material  appearing  in  CSO  is  forbidden  without  written  permission.  Permission  to  photocopy  for  internal  or  personal  use  or  the  internal  oi  personal  use  of  specific 
clients  is  granted  by  CSO  for  users  through  the  Copyright  Clearance  Center,  provided  that  a  fee  of  $3.50  per  copy  of  the  article  is  paid  directly  to  Copyright  Clearance 
Center.  222  Rosewood  Drive.  Danvers.  MA  01970  www.copyright.com.  Please  specify:  ISSN  1540-904x.  Permission  to  photocopy  does  not  extend  to  contributed  articles— 
followed  by  this  symbol:  f.  Address  inquiries  to  CSO.  P.0.  Box  3482.  Northbrook.  IL  60065: 866  354-1125.  CSO  is  free  to  qualified  security  executives.  To  all  others  the 
one-year  basic  rate  is  S70  for  the  United  States  and  Canada,  $95  to  foreign  countries  (payable  in  U.S.  funds  only).  The  single  copy  price  is  $9  to  the  U  S.  and  Canada  and 
S15  International.  Please  allow  four  to  six  weeks  for  new  subscriptions  to  begin.  Change  of  Address:  Go  to  www.omeda.com/custsrv/cso  and  follow  the  online  instructions. 
Postmaster:  Send  change  of  address  to:  CSO.  P.0.  Box  3482.  Northbrook.  IL  60065.  Printed  in  the  USA. 


Editor  in  Chief 

Derek  Slater 
dslatertSicxo.com 
508  935-4213 
Twitter:  @derekcslater 

Managing  Editor 

Bill  Brenner 
bbrenner@cxo.com 
508  988-7587 
Twitter:  @billbrenner70 

Senior  Editor 

Joan  Goodchild 
igoodchild@cxo.com 
508  988-7994 
Twitter:  @msjoanieg 

Copy  Editor 

Colleen  Barry 

Executive  Director,  Art  and  Design 

Mary  Lester 

Art  Director 

Steve  Traynor 

Editorial  Administrator 

Pat  Josefek 

Research  Manager 

Carolyn  Johnson 

Contributing  Writers 

Taylor  Armerding,  Mary  Brandel, 
Michael  Fitzgerald,  Antone  Gonsalves, 
Brandon  Gregg,  George  V.  Hulme, 
Richard  Power,  Ben  Rothke. 
Michael  Santarcangelo,  Bob  Violino 

Editorial,  Advertising, 
and  Business  Offices 

492  Old  Connecticut  Path. 

P.O.  Box  9208 

Framingham,  MA  01701-9208 
Main  phone  number:  508  872-00  80 

Subscriber  Services 

Phone:866  354-1125 
Fax:  847  564-9453 
cso@omeda.com 

IDG  Enterprise 

An  IDG  Communications  Company 

International  Data  Group 
Chairman  of  the  Board 

Patrick  J.  McGovern 

IDG  Communications,  Inc. 

CEO 

Bob  Carrigan 

Chief  Content  Officer 

John  Gallant 


WORLDWIDE- 


2  www.csoonline.com  SEPTEMBER  2012 


Tim  Llewellyn 


3  ■BBWgtevf  '  ■  ■  ' :  ■ 


Tapj  the  Phone 
to  the  Reader 


Hl»f  "••  £ 

V  / 

ij  v  - 

,  fe  l  >  „•  „  ,  •  -< 


yj-Fyity- 

'V tCL 


a 


( ^  i  j  -  ■ 


No  other  company  can  offer  you  more  ways  to 
create,  use  and  manage  secure  identities  in  a 
trusted  environment  than  HID  Global. 

From  smart  cards  and  printers  to  smart  phones  to  managing  identities  in  the 

cloud,  we  provide  solutions  spanning  the  entire  lifecycle  of  your  secure  identities. 

Learn  more  about  how  HID  can  help  you  to  create,  use  and  manage  your  secure 
identities  visit:  HIDGIobal.com/create-use-manage-cso 

.<■  2012  HID  Global  Corporation/ASSA  ABLOY  AB.  All  rights  reserved.  HID.  HID  Global,  the  HID  Blue  Brick  logo,  the  Chain  Design.  iCLASS  SE,  Secure  Identity  Object.  SIO  and  Seos  are 
trademarks  or  registered  trademarks  of  HID  Global  or  its  licensor(s)/supplier(s)  in  the  US  and  other  countries  and  may  not  be  used  without  permission.  All  other  trademarks,  service  marks, 
and  product  or  service  names  are  trademarks  or  registeied  trademarks  of  their  respective  owners. 


ADVERTORIAL 


Research  Reveals  the  Need 
for  Physical  and 
Access  Management 


Market  a 
Pulse 


V 


It  is  not  enough  for  the  modern  enterprise  to  track  inventory, 
supplies  and  facilities.  It  must  track  people;  both  their  physical 
and  online  access  to  company  facilities  and  information. 

The  answer  is  an  automated,  centralized  physical  identity  and 
access  management  (PIAM)  solution.  And  the  leading  vendor  in 
this  space  is  Quantum  Secure. 

The  need  is  obvious.  The  terrorist  attacks  of  9/11  more  than  a 
decade  ago  prompted  an  overhaul  of  physical  security  manage¬ 
ment  at  airports  and  government  institutions.  But  it  also  prompted 
businesses— especially  those  with  multiple  locations  throughout 
the  world— to  assess  their  own  security  vulnerabilities. 


—  Kunal  Shrestha,  product  manager, 

Quantum  Secure 


This  assessment  showed  the  complexity  of  the  challenge.  A 
recent  survey  by  IDG  Research  Services  found  a  large  majority  of 
IT  security  professionals  (75  percent)  acknowledge  they  have  diffi¬ 
culty  managing  physical  identity  and  access  validation  for  full-  and 
part-time  employees  plus  a  variety  of  third  parties— short-  and 
long-term  contractors,  vendors,  customers,  interns,  visitors  and 
others— across  disparate  systems. 

They  acknowledge  the  integration  between  physical  and 
logical  security  systems  could  be  improved.  They  express  concern 
about  legacy  systems  in  place  to  manage  them,  which  are  largely 
manual  and  therefore  subject  to  human  error. 

The  failure  to  manage  identity  and  access  exposes  enterprises 
to  multiple  risks:  Disgruntled  former  employees  who  still  have 
access  to  facilities  could  steal  intellectual  property  or  sabotage 


facilities;  an  enterprise  could  face  liability  if  it  does  not  conduct 
adequate  background  checks  on  employees  and  third  parties;  and 
there  are  constant  outside  efforts  to  steal  intellectual  property. 

More  than  half  (54  percent)  of  large  enterprises  (those  with 
more  than  10,000  employees)  use  vendors  with  commercial  off- 
the-shelf  (COTS)  products  to  address  physical  identity  needs,  but 
only  36  percent  of  smaller  enterprises  do  so. 

There  are  a  variety  of  reasons  for  slow  adoption  of  vendor 
solutions:  The  sense  that  an  in-house  solution  is  more  cost  effec¬ 
tive;  doubts  about  whether  a  COTS  package  can  be  tailored  to  fit 
individual  business  needs;  doubts  about  the  value-add  of  a  COTS 
solution;  and  hesitancy  to  invest  in  what  some  perceive  is  still  a 
new  technology. 

But  resistance  to  vendor  physical  identity  and  access  manage¬ 
ment  solutions  comes  from  a  lack  of  understanding  about  the 
products,  their  features  and  the  value  propositions  now  estab¬ 
lished  in  the  marketplace.  In-house  solutions  can  cost  five  to 
seven  times  that  of  COTS  solutions  like  Quantum  Secure  SAFE, 
not  only  to  install  but  to  manage. 

The  perception  that  a  COTS  solution  cannot  be  tailored  to 
the  needs  of  individual  enterprises  is  180  degrees  from  reality, 
according  to  Kunal  Shrestha,  product  manager  for  Quantum 
Secure. 

"PIAM  software  offers  a  rich  framework  and  flexible  policy 
engine  to  customize  unique  requirements  as  per  the  customer's 
needs,"  Shrestha  said. 

A  COTS  solution  also  adds  value  with  diverse  features  that 
manage  the  lifecycle  of  a  physical  entity,  automatically  integrates 
physical  security  and  logical  identity  management  systems,  and 
provides  proper  automated  reporting  of  security  events,  compli¬ 
ance  reports  and  security  policies. 

And  PIAM  goes  well  beyond  a  physical  access  control  system 
(PACS),  which  is  focused  simply  on  opening  and  closing  doors. 

An  enterprise  trying  to  run  an  in-house  PIAM  solution  is  a  bit 
like  a  clothing  manufacturer  trying  to  build  and  maintain  its  own 
fleet  of  cars  and  trucks.  It  simply  doesn't  make  sense  because 
there  are  vendors  who  do  it  much  better  at  much  less  cost.  This 
is  the  advantage  of  vendor-provided  PIAM.  ■ 


»  "PIAM  software  offers  a  rich  frame¬ 
work  and  flexible  policy  engine  to 
customize  unique  requirements  as 
per  the  customer's  needs," 


cso 

Custom  Solutions  Group 


QUANTUM  SECURE 


To  download  the  whitepaper,  including  further  research 
results,  please  visit  www.csoonline.com/whitepapers/ 
Quantum_PiAM 


Do  you  know  your  physical  security 

access  infrastructure  may  be  open 
to  insider  and  outsider  threats? 


Take  Control  of  your  Physical  Security 
Infrastructure  with  SAFE  Solutions 

Our  SAFE  Software  Suite  is  a  Physical  Identity  and  Access 
Management  System  that  enables  a  global  approach  to  automate 
and  streamline  your  Physical  Security  Infrastructure.  With  SAFE 
Solutions  from  Quantum  Secure,  automate  and  streamline 
physical  access  management,  gain  visibility  and  take  control  of 
on/off  boarding  processes  across  global  facilities,  and  closely 
manage  restricted  areas  to  ensure  compliance  and  reduce 
corporate  risks. 

SAFE  delivers  attestation  reports  for  compliance  to  regulations 
such  as  SOX,  NERC,  PCI,  HIPAA  and  more.  SAFE  also  performs 
insider  risk  assessment  with  facility  access  analytics,  and  will 
operate  with  disparate  physical  access  (PACS)  and  HR  systems. 
The  SAFE  Software  Suite  is  designed  to  create  unprecedented 
efficiencies  and  lower  all  physical  access  related  risks. 


SAFE  is  ideal  for: 

>  Government 

>  Airports  and  Ports 

>  Telecom 

>  Energy  and  Utilities 

>  Healthcare,  Pharmaceuticals 

>  High  Technology 

>  Financial 

>  Higher  Education 

>  Transportation 


QUANTUM  SECURE 


©  2012  Quantum  Secure,  Incorporated.  All  rights  reserved. 


quantumsecure.com 


Before  You  Lecture,  Listen 

If  you  haven’t  heard  yet,  this  is  CSO  magazine’s  tenth  anni¬ 
versary.  Let  me  be  the  first  to  let  you  in  on  a  little  secret  (in  case 
you’ve  been  living  in  a  cave 
somewhere):  A  lot  has  changed 
in  ten  years. 

I’ve  had  the  unique  pleasure  to  watch  the 
security  and  risk  profession  evolve  from  a  back¬ 
room  player,  an  afterthought,  to  a  thought¬ 
leading,  business-aligned  profession  that  helps 
leadership  steer  their  organizations  through 
sometimes  calm,  often  perilous  waters  of  busi¬ 
ness.  You  haven’t  always  had  it  easy.  Heck, 
you’ve  often  had  little  or  no  support.  In  fact, 
when  this  magazine  launched  in  2002,  there 
was  some  doubt  as  to  whether  the  role  of  the 
CSO  would  continue  at  all  or  if  it  would  just  be 
absorbed  by  other  parts  of  the  business.  But 
through  hard  work  and  leadership,  you  have 
helped  teach  your  organization's  leaders  that 
what  you  do  is  important  (nay,  critical)  to  the 
continued  success  of  your  business. 

The  other  day  I  pulled  out  a  copy  of  our  very 
first  issue.  On  the  cover  was  a  photo  of  Bill  Boni, 
then  CISO  of  Motorola,  now  VP  of  information 
security  at  T-Mobile.  His  image  stared  at  me 
over  the  headline,  “Let's  Talk.’’  But  Bill  wasn’t 
talking,  he  was  listening.  How  very  prophetic 
that  has  turned  out  to  be. 

The  most  successful  security  leaders  aren’t 
the  ones  who  just  talked  about  security  and 
risk  until  they  were  blue  in  the  face.  They’re  the 
ones  who  do  a  lot  of  listening.  Listening  to  the 
business,  listening  to  their  peers...and  learning. 

If  I  had  to  sum  up  CSO' s  overarching  message 
from  the  past  ten  years,  it  would  be  just  that: 

Listen. 

It  is  said  that  with  knowledge  comes  under¬ 


Advertiser  Index 

ASSA  ABLOY . 

. 19 

IBM  Corp . 

. C2 

RSA,  the  Security  Division  of  EMC  . . 

....11 

Avigilon . 

. 9 

ISACA . 

. 7 

CSO . 

. 17,25 

Oracle  Corporation  . 

. 23 

Security  Smart  Newsletter . 

...27 

Deloitte  &  RSA  . 

. 15 

Q1  Labs,  an  IBM  Company . 

. C3 

HID  Corp . 

. 3 

Quantum  Secure  Inc . 

. 4 

Trend  Micro  Inc . 

...C4 

standing.  By  listening,  CSOs  have  learned  about 
the  business  of  their  organizations.  They  turned 
that  knowledge  into  understanding,  which 
in  turn  helped  them  align  security  with  the 
goals  of  the  organization.  From  that,  they  have 
learned  to  balance  risk  with  opportunity.  It’s  not 
perfect,  but  it  works...and  that  precarious  bal¬ 
ance  is  the  Holy  Grail  of  business.  If  you  want  to 
become  a  business  leader,  you  better  be  able 
to  talk  the  talk  and  walk  the  walk.  Otherwise 
you're  just  another  techie  saying  “no”  to  every 
new  technology,  or  you’re  just  another  security 
guard  walking  the  rounds  of  a  building. 

After  all  these  years  and  all  the  things  we’ve 
seen,  I  truly  believe  that  the  role  of  the  CSO  has 
a  bright  future.  The  team  at  CSO  looks  forward 
to  the  next  ten  years  of  helping  you  solve  your 
challenges  and  enjoy  your  successes. 

-Bob  Bragdon,  publisher 
bbragdon@cxo.com 


6  www.csoonline.com  SEPTEMBER  2012 


Executive  Committee 

President  &  CEO  Michael  Friedenberg 
Executive  Assistant  to  the 
President  &  CEO  Pamela  Carlson 
SVP  of  Human  Resources  Patricia  ' 
Chisholm 

SVP  of  Events  Ellen  Daly 
SVP  &  Chief  Content 
Officer  John  Gallant 
SVP  of  Digital  Brian  Glynn 
SVP  of  Strategic  Programs  &  Custom 
Solutions  Group  Charles  Lee 
SVP,  Group  Publisher  &CMO  BobMetk 
SVP  &General  Manager,  Online 
Operations  Gregg  Pinsky 
SVP  of  DEMO  Neil  Silverman 
SVP  &  COO  Matthew  Smith 
SVP  &  General  Manager,  CIO 
Executive  Council  Pam  Stenson 
SVP  of  Digital,  & 

Publisher  SeanWeglage 

Sales 

Publisher  Bob  Bragdon 
Senior  National  Sales 
Manager  PerMelker 
East  Coast  Regional  Director, 
Integrated  Sales  Roz  Burke 
Account  Director,  Integrated 
Sales  West  MaryHazeiton 
Sales  Associate  Sarah  Nadeau 

Integrated  Media  and  Online  Sales 
East  Coast  Online  Regional  Sales 
Manager  Richard  Hartman 
West  Coast  Online  Regional 
Sales  Manager  Erika  Karr 
Central  Online  Regional  Sales 
Manager  Stacy  Bryne 
Director  of  Ad  Operations  & 
Project  Management  Bill  Rigby 
Director,  Online  Account 
Services  Danielle  Tetreault 

Production 

VP  Production  Services  Chris  Cuoco 
Production  Manager  Heidi  Broadley 

Marketing 

Vice  President,  Marketing  Sue  Yanovitch 
Marketing  &  PR  Manager  Lynn  Hoimlund 

List  Services 

Contact  Steve  Tozeski  of  IDG  List  Services 
at  508  820-8106  or  stozeski@idglist.com 

Reprints  &  Permisions 

For  information  about  reprints  and 
copyright  permissions,  please  contact 
The  YGS  Group.  800-290-5460,  ext.  100. 
cso@theygsgroup.com 


Webb  Chappell 


Certified  Information 
Systems  Auditor* 


An  ISACA*  Certification 


Certified  Information 
Security  Manager* 

An  ISACA*  Certification 


Certified  in  the 
Governance  of 
Enterprise  IT* 

- — y- - 

An  ISACA*  Certification 


Certified  in  Risk 

and  Information 

Systems  Control" 

- 1 - 

An  ISACA*  Certification 


Register  today! 

Exam  Date:  8  December  201 2 

Registration  Deadline:  3  October  201 2 

ISACA  members  save  US  $150  off  exam  registration. 
Become  an  ISACA  member  today! 

www.isaca.org/certification-CSO 


~iSACA 

Trust  in,  and  value  from,  information  systems 


TOOLS  SYSTEMS  NETWORKS  DATA  PRIVACY 


Kiss  Your  IT  Control  Goodbye 

You  can  thank  the  cloud  and  BYOD  for  that  development,  says  Bruce  Schneier  by  bill  brenner 


SECURITY  LUMINARY  BRUCE  SCHNEIER 
has  a  message  for  all  you  CSOs,  CISOs  and  IT 
admins:  Your  days  of  having  control  over  the 
company  network  are  over. 

Done. 

Dead. 

“I  see  a  huge  loss  of  control  for  CSOs  be¬ 
cause  of  smartphones  and  clouds,”  he  says, 
holding  up  and  waving  around  his  own  phone 
for  emphasis. 

“We’re  losing  control  over  everything  and 


it’s  going  to  be  a  huge  deal.” 

He  offered  that  grim  outlook  during  a  sit- 
down  with  CSO  during  the  Black  Hat  confer¬ 
ence  in  July. 

For  the  leaders  of  enterprise,  cloud  com¬ 
puting  is  irresistible  because  of  the  cost 
savings  in  hardware.  Yet  they  still  have  little 
understanding  of  where  their  sensitive  data 
is  going  and  who  is  really  in  control  of  it, 
Schneier  says. 

Then  there’s  the  smartphones.  You  can't 


put  antivirus  software  on  them  and  you  have 
zero  control  over  all  the  apps  your  employees 
use  on  them. 

“Control  means  I  have  a  chance  of  security,” 
he  says.  “If  you  allow  BYOD,  you  can’t  specify 
anything.” 

So  where  do  we  go  from  here?  Schneier 
sees  more  policy-driven  security  ahead.  “If  I 
can’t  secure  your  phone,  I  will  attach  money 
to  you  and  make  you  liable,”  he  says.  “More 
security  will  be  done  by  attorneys  and  policy 


8  www.csoonline.com  SEPTEMBER  2012 


analog 


aviGiLon 


Save  on  personnel  costs  with  an 
Avigilon  HD  surveillance  system. 


Compared  to  analog,  Avigilon’s  superior  image  clarity  can  protect  wider  areas  in 
greater  detail.  By  seeing  exactly  what’s  happening,  you  can  drastically  shorten 
response  times  for  enhanced  safety  and  reduce  the  need  for  redundant  security 
personnel— saving  you  money  and  increasing  efficiencies.  Learn  more  about  protecting 
your  company’s  bottom  line  at  avigilon.com/casestudies  or  call  1.888.513.2955. 


aviGiLon 

THE  BEST  EVIDENCE’ 


Tech 


“Control  means  I  have  a  chance 
of  security.  If  you  allow  BYOD, 
you  can’t  specify  anything.” 


people  because  we’re  losing  control  of  tech.’ 
Will  it  work? 

“I  don’t  know.  I  sure  hope  so.” 

This  is  new  territory  and  all  bets  are  off, 
he  says. 

Recent  news  reports  back  his  claim  that 
data  is  nearly  impossible  to  control  in  these 
environments. 

During  last  month’s  Olympic  Games  in 
London,  Venafi,  a  security  vendor,  predicted 
that  about  214  million  books’  worth  of  cor¬ 
porate  and  personal  data  would  go  missing. 


-BRUCE  SCHNEIER 

Venafi  estimates  that  67,0  0  0  phones  were 
lost  or  stolen  during  the  Olympics,  that  about 
40  percent  of  them  were  smartphones,  and 
that  those  phones  would  have  a  capacity  of 
at  least  eight  gigabytes,  which  would  equal 


about  214.4  terabytes  of  data. 

Despite  all  that,  some  say 
the  big-picture  outlook  isn’t 
all  that  bad. 

During  a  separate  inter¬ 
view  with  CSO  at  Black  Hat, 
Jeremiah  Grossman,  founder 
and  CTO  of  WhiteHat  Security,  reacted  this 
way  to  Schneier’s  prediction: 

“IT  doesn’t  have  a  great  track  record  of 
controlling  devices,  so  in  that  sense  it’s  not 
such  a  bad  thing  if  they  don’t  have  control.” 


Owning  Bad  Guys  With  Javascript  Botnets 

Researcher  Chema  Alonso  says  it’s  relatively  easy  to  create  botnets 
and  use  them  to  turn  the  tables  on  the  black  hats 


A  RECENT  WHITE  PAPER  FROM  RESEARCHER  CHEMA 
Alonso  shows  how  easily  a  JavaScript  botnet  can  be  constructed, 
what  the  risks  of  doing  so  are,  and  what  kinds  of  people  are  using 
these  services. 

In  the  paper,  Alonso  spends  a  lot  of  ef¬ 
fort  on  reassuring  those  who  might  worry 
about  the  nature  of  the  research: 

“Our  proof-of-concept  work  is  com¬ 
pletely  passive;  there  is  no  intention  to 
control  the  lives  of  anyone,  but  to  study 
the  risks  of  certain  services  that  have 
become  too  popular,  such  as  anonymous 
proxies  and  TOR  networks.”  In  the  end, 
he  says,  all  the  intelligence  gathered  was 
turned  over  to  Spanish  authorities. 

The  goal,  Alonso  explains,  is  to  use  the 
bad  guys’  own  tricks  against  them,  and  in 
the  process  collect  intelligence  on  what 
they’re  up  to.  Whenever  a  user  connected 
to  one  of  the  rogue  proxy  servers  he  cre¬ 
ated,  they  were  infected  with  JavaScript  that  allowed  him  to  monitor 
their  activities. 

The  white  paper  goes  into  detail  about  the  types  of  schemes  the 
bad  guys  were  working  on: 

■  One  proxy  service  user  was  selling  Visa  cards  to  people  with  IP  ad¬ 
dresses  from  India,  the  report  alleges.  “To  do  that,  he  was  making 
an  intense  campaign  of  spam  with  an  email  message  request¬ 


ing  payment  for  Western  Union.  Of  course,  some  recipients  of  the 
messages  were  quite  skeptical  and  their  responses  were  very  neg¬ 
ative,  but  we  could  see  how  some  people  paid  and  sent  all  data  to 
obtain  a  Visa  that  would  never  come." 

■  Another  scam  artist  set 
up  fake  social  network¬ 
ing  profiles  for  women  with 
various  locations,  names  and 
ages.  The  German  scammer 
tried  getting  people  to  send 
him  money  through  Western 
Union  to  fund  trips  to  the 
women’s  locations  for  a  night 
of  “mad,  wild,  nasty  love.” 

The  culprit  organized  con¬ 
versations  and  stored  them. 
He  also  sought  money  in  ex¬ 
change  for  naked  photos. 

At  the  end  of  the  paper, 
Alonso  warns  that  proxy  sys¬ 
tems  and  anonymous  networks  like  The  Onion  Router  (Tor)  are  bad 
news  and  should  be  avoided  at  all  costs. 

“Tor  networks  and  proxy  systems  represent  man-in-the-middle 
schemes  in  which  you  must  trust  to  use  them,"  Alonso  says.  "Putting 
a  malicious  server  on  the  Internet  is  too  easy  and  is  typically  used,  in 
a  massive  way,  by  people  with  the  worst  of  the  intentions.  So  if  you 
use  any  of  these  facilities,  get  ready  to  be  attacked.”  -B.B. 


lO  www.csoonline.com  SEPTEMBER  2012 


Thinkstock 


WHITE  PAPER 


Mobile  Management  Drives 
New  Security  Paradigm 


Market 

Pulse 


Faced  with  an  increasingly  mobile  and  globalized  work¬ 
force,  and  the  proliferation  of  less  expensive  and  more  capable 
devices,  companies  have  had  to  establish  and  continually 
refine  mobile  security  policies.  A  survey  recently  conducted  by 
IDG  Research  Services  of  more  than  100  security  and  tech¬ 
nology  professionals  reveals  notable  trends  surrounding  the 
mobile  device  landscape  and  the  means  by  which  most  organi¬ 
zations  apply  security  technologies  and  policies. 

Mobile  devices  come  with  their  own  host  of  security  issues. 
Most  organizations  report  having  rolled  out  at  least  one  mobile 
business  application,  in  addition  to  full  e-mail  access.  Most 
can  now  use  collaboration,  content  management  or  business 
intelligence  solutions  on  their  mobile  devices.  These  additional 
capabilities  give  rise  to  additional  risks. 

When  a  mobile  device  or  laptop  is  lost,  there  are  many 
layers  to  what  that  loss  represents.  "The  greatest  risk  is  that 
you'll  have  a  targeted  attacker  infiltrate  your  network,  and 


these  technologies  have  their  strengths  and  weaknesses.  Most 
of  them  provide  the  same  level  of  control  in  every  scenario.  IDG 
Research  results  point  to  application-level  security  and  a  more 
granular  approach  as  the  most  effective,  most  flexible  and  most 
preferred  by  security  executives. 

There  are  tangible  business  benefits  to  applying  an  appro¬ 
priate  level  of  mobile  security,  research  respondents  report. 
These  include  protecting  customer  data,  preserving  corporate 
reputation,  protecting  intellectual  property,  and  complying  with 
regulatory  mandates. 

These  factors  all  contribute  to  the  scope,  scale  and  dynamic 
nature  of  mobile  security.  There  is  a  whole  new  class  of  threats 
associated  with  mobile  devices,  and  a  whole  new  set  of  chal¬ 
lenges  for  securing  personal  mobile  devices.  This  requires  a 
whole  new  approach  to  security.  ■ 


do  so  in  a  way  that  you  won't  even  know  he's  there,"  says 
Chris  Corde,  director  of  strategy  for  RSA.  Any  mobile  device 
or  endpoint  either  left  behind  or  stolen  often  contains  cached 
user  credentials.  This  could  give  an  attacker  access  to  the 
network,  and  let  him  operate  as  if  he  were  an  actual  employee 
with  legitimate  credentials. 

Cracking  someone's  password  is  often  sufficient  to  breach 
a  network.  In  most  cases,  standard  corporate  policy  is  to 
perform  a  complete  remote  wipe  of  the  mobile  device  in  the 
event  of  loss  or  theft.  This  protects  the  company  and  its  data, 
but  is  really  only  feasible  when  the  mobile  device  is  a  corporate 
owned  and  controlled  device.  It  gets  more  complicated  when 
the  device  is  owned  by  the  employee  and  contains  some  of  his 
or  her  personal  data  and  applications.  Users  won't  approve  a 
remote  wipe  of  their  own  devices. 

The  vulnerability  of  data  resident  on  a  device  is  a  more 
common  threat.  The  loss  of  a  mobile  device  could  give 
someone  the  ability  to  siphon  off  that  data.  "You  don't  need  to 
breach  a  network,"  Corde  says.  "You  just  need  the  device  in 
your  hand." 

Mobile  device  management  software,  the  use  of  virtual 
private  networks,  and  various  multifactor  user  authentication 
methods  all  come  into  play  when  securing  mobile  devices.  All 


Remote  Challenge  Accepted:  Specialized 
Authentication  for  Mobile  Apps 


4% 

Not  at  all  likely 


20% 

Not  very  likely 


/ 

23% 

Somewhat  likely 


13% 

Extremely  likely 


40% 

Very  likely 


How  likely  is  it  that  your  organization  will  deploy  a  specialized 
authentication  mechanism  for  mobile  applications? 

Source:  IDG  Research,  June  2012 


For  more  information,  view  the  white  paper  on  mobile 
management  at  wwww.csoonline.com/whitepapers/emc 

Custom  Solutions  Group  The  Security  Division  of  EMC 


Tech 

Bill  Brenner,  managing  editor 
CSOonline's  Salted  Hash  blog  and  newsletter  covers 
the  news  as  it  happens:  blogs.csoonline.com/blog/cso 


SALTED  HASH 


Welcome  to  RSA...er,  I  mean  Black  Hat 


IN  LATE  JULY,  I  WALKED  INTO  THE 
room  full  of  vendor  exhibits  at  Black  Hat  and 
a  strange  feeling  came  over  me,  like  I  had 
been  transported  five  months  back  in  time 
to  a  place  in  San  Francisco  where  the  people 
were  loud  and  the  eye  candy  excessive.  “Wel¬ 
come  to  RSA,"  I  thought  to  myself. 

I  wasn’t  the  only  one  to  get  that  feeling. 
Everyone  I  ran  into  said  much  the  same  thing. 
If  you  needed  proof  that  this  isn’t  your  older 
brother’s  Black  Hat,  this  is  it.  Vendors  were 
a  major  force  at  this  year's  Black  Hat  USA  in 
Las  Vegas.  To  be  sure,  some  attendees  aren’t 
happy  about  it.  They  long  for  the  time  when 
Black  Hat  was  a  counterculture  movement. 
This  more  mature,  respectable  version?  Well, 
let’s  just  say  I  can’t  print  some  of  the  words 
that  attendees  used  to  describe  it. 

Right  about  now  I  should  start  spouting 
off  about  how  Black  Hat  has  turned  into  a 
waste  of  time,  a  fruitless  endeavor  where  the 
big  money  has  taken  over  and  speakers  with 
integrity  are  nowhere  to  be  found. 


But  I’m  not  going  to  do  that.  Because  I 
don’t  believe  it. 

True,  Black  Hat  has  become  heavily  com¬ 
mercialized.  But  hasn’t  the  world  of  hacking 
in  general?  This  used  to  be  an  underground 
art.  Now  hacking  is  a  profession  respected 
and  embraced  by  big  business.  The  masters 
of  enterprise  know  now  that  they  need  you  to 
find  all  the  weaknesses  in  their  infrastructure 
before  the  bad  guys  find  them  and  turn  the 
company  into  another  data-breach  headline. 
That’s  as  it  should  be. 

True,  many  executives  still  have  a  problem 
listening  to  and  understanding  you.  But  I’ve 
met  a  lot  of  CEOs  who  are  slowly  starting 
to  get  it.  Slow  progress  beats  no  progress 
hands  down. 

Whenever  an  environment  shifts  like  this, 
someone  is  waiting  in  the  wings  to  make  a 
buck  off  it.  Enter  the  security  vendors. 

That’s  not  such  a  bad  thing,  either.  Some 
of  my  best  friends  in  this  industry  work  for 
vendors.  They’re  dedicated  to  protecting  our 


sensitive  information  and  to  doing  the  right 
thing.  They’re  trying,  at  least.  Those  vendors 
are  surrounded  by  a  lot  of  pretenders  who 
promise  the  solution  to  every  security  prob¬ 
lem  in  a  leather  box  full  of  diamonds.  The 
smartest  security  practitioners  among  us 
sniff  them  out  and  expose  them  pretty  easily. 
Black  Hat  is  the  type  of  event  that  attracts 
those  smart  minds. 

Since  that’s  the  case,  I’m  not  bothered 
by  the  commercial  spectacle  Black  Hat  has 
become.  It  simply  means  that  more  people 
have  been  invited  into  the  conversation 
about  the  best  way  to  make  a  positive  differ¬ 
ence  in  security. 

It  may  not  be  as  much  fun  for  us  reporters, 
who  remember  going  to  this  event  every  year 
and  chasing  the  dramatic  stories  that  always 
unfolded.  But  maturity  is  often  a  boring  thing. 
Boring,  but  necessary. 

And  if  it  gets  too  boring,  BSidesLV  is  just 
down  the  street,  and  is  a  nice  change  of  scen¬ 
ery  and  mind-set.  -B.B. 


12  www.csoonline.com  SEPTEMBER  2012 


Dan  Tentler 


Thinkstock 


WISDOM  WATCH 


4  FLAWS 


Critical  Vulnerabilities  in 
Huawei  Routers  and  More 

[EDITOR’S  NOTE:  4  FLAWS  IS  A  NEW  COLUMN  WHERE  WE’LL  RECAP 
four  vulnerabilities  per  month.]  Here  are  flaws  making  news  of  late: 

1.  Hackers  target  Huawei  for  “insecure  coding  practices  and  lack  of  se¬ 
curity  transparency.”  Security  researchers  unveiled  critical  holes  in  routers  from 
Chinese  networking  and  telecommunications  equipment  manufacturer  Huawei  at 
Defcon  in  July.  A  session  hijack,  heap  overflow  and  stack  overflow  were  found  in  the 
firmware  of  Huawei  AR18  and  AR29  series  routers  and  could  be  exploited  to  hijack 
the  devices,  researcher  Felix  Lindner  said. 

2.  Researcher  shows  off  Windows  8  attacks.  There  are  at  least  three  at¬ 
tack  points  in  Windows 
8  that  could  uncover 
exploitable  vulner¬ 
abilities,  says  researcher 
Sung-ting  Tsai,  leader 
of  an  advanced  threat 
research  team  for  Trend 
Micro. 

3.  Vulnerabilities 
found  in  three  popu¬ 
lar  payment  terminal 
models  can  result  in 
credit  card  data  theft, 
researchers  say.  Three 
widely  deployed  pay¬ 
ment  terminals  have 
security  holes  attackers 
could  exploit  to  steal 
credit  card  data  and 
PINs.  Researchers  Rafa¬ 
el  Dominguez  Vega  and 
Nils  (who  goes  by  one 
name)  showed  off  the 
flaws  at  Black  Hat. 

4.  Researcher 
hacks  smartphones 

over  near-field  communications.  Accuvant  Labs  researcher  Charlie  Miller  dem¬ 
onstrated  a  way  to  break  into  both  Google  Nexus  devices  and  the  Nokia  N9  by  using 
the  smartphones’  near-field  communications  (NFC)  capabilities.  Miller  showed 
Black  Hat  attendees  how  it’s  possible  to  exploit  the  phone’s  ability  to  use  radio 
communication  to  share  content,  using  it  to  play  such  tricks  as  crashing  phones  and 
even,  in  certain  circumstances,  reading  files  on  the  phone. 

Lucian  Constantin,  Ellen  Messmerand  Tim  Greene  contributed  to  this  report. 


Black  Hat  and 
Defcon  Edition 

Recent  conferences  illustrated  plenty 
of  fresh  security  challenges-and 
some  ridiculous  responses  to  them 


RSA.  After  getting  hacked  last  year, 

Jj  you’d  think  RSA  would  use  Black  Hat 
to  restore  its  reputation  for  making  rock-solid 
security  products.  Instead,  it  staffed  its  exhibit 
with  booth  babes  in  the  skimpiest  attire  (or  lack 
thereof)  money  can  buy.  Rather  than  talk  about 
the  technology,  attendees  spoke  of  nothing  but 
the  “trashy  booth  babes.”  Stay  classy,  RSA. 

National  Security  Agency  Director 
Hk-i  General  Keith  B.  Alexander.  The  General 
went  to  Defcon  and  asked  a  room  full  of  hack¬ 
ers  to  be  his  foot  soldiers  in  the  battle  to  secure 
cyberspace.  Given  the  NSA’s  penchant  for  secrecy 
and  mistrust  in  the  past,  Alexander’s  approach¬ 
traveling  to  events  around  the  country  and  invit¬ 
ing  attendees  to  be  part  of  his  fight-is  refreshing. 


Dave  Aitel,  CEO  of  Immunity.  Whether 
ILJ  or  not  you  agree  or  with  his  position  that 
security  awareness  training  is  a  waste  of  time, 
you  have  to  give  him  credit  for  having  the  guts 
to  publicly  challenge  conventional  wisdom. 

His  guest  column  on  CSOonline  was  the  talk  of 
Black  Hat,  and  his  advice  has  certainly  given  se¬ 
curity  professionals  something  to  think  about. 


P|  Traditional  media.  The  mainstream 
\J  press  may  have  decided  that  cyberse¬ 
curity  is  a  high-priority  topic,  but  it  has  trouble 
getting  the  storytelling  right.  Exhibit  A:  A  hyper¬ 
bolic  headline-“Can  Twitter  really  help  expose 
psychopath  killers’  traits?”— that  made  a  Defcon 
talk  sound  far  more  dramatic  than  it  really  was 
(even  one  of  the  presenters  said  so).  Exhibit 
B:  WBUR’s  groaner  of  a  teaser  in  its  Black  Hat- 
Defcon  report,  which  started  with,  “No,  this  is 
not  the  plot  for  a  summer  blockbuster..." 

-B.B. 


September  2012  www.csoonline.com  13 


Tech 


The  Inside  Scoop  on  Adobe’s  Security  Strategy 


THE  WAY  SECURITY  PROS  SEE  IT, 
Adobe  is  the  monster  they  can’t  live  with. 

But  they  really  can't  live  without  it,  either. 
Users  rely  on  Adobe  software  to  create,  edit 
and  view  a  variety  of  rich  media  content.  But 
for  many  security  practitioners,  frequent  at¬ 
tacks  against  a  range  of  security  holes  has 
become  too  much  to  take.  It’s  a  reputation 
Brad  Arkin-Adobe’s  senior  director  of  security, 
standards,  open  source  and  accessibility-is 
acutely  aware  of. 

Back  in  2010,  he  addressed  the  issue  in  a 
O&A  I  conducted  with  him.  He  said,  among 
other  things: 

“The  point  we  try  to  make  is  that  the  threat 
landscape  is  evolving  quite  rapidly  and  we’re 
doing  everything  possible  to  react  to  that 
and  stay  ahead  of  what’s  happening.  We  un¬ 
derstand  that  the  reason  Adobe  is  such  a  big 
target  for  the  bad  guys  is  that  it’s  so  ubiqui¬ 
tous.  Something  like  Reader  or  Flash  player  is 
installed  on  just  about  every  single  machine 


Brad  Arkin,  senior  director  of  security  for  Adobe 


out  there  that’s  connected  to  the  Internet.... 

As  a  result,  every  bad  guy  on  Earth  is  looking 
for  something  to  exploit  in  our  software.  One 
thing  we  can  do  to  make  our  products  less  at¬ 
tractive  to  the  bad  guys  is  to  regularly  update 
and  make  sure  as  many  people  as  possible  are 
using  the  most  updated  versions-and  make  it 
as  easy  as  possible  for  them  to  do  so.” 

He  also  played  up  the  fact  that  he’s  on  the 


board  of  SAFECode,  an  organization  dedicat¬ 
ed  to  working  security  into  products  from  the 
beginning  by  writing  cleaner  code. 

I  talked  to  Arkin  recently  to  see  how  Adobe 
security  is  progressing,  and  he  again  men¬ 
tioned  SAFECode.  This  time,  he  talked  about 
how  that  organization  has  contributed  direct¬ 
ly  toward  Adobe’s  improvements.  “SAFECode 
gives  us  the  chance  to  talk  to  peers  who  are 
having  different  challenges,”  he  says. 

Adobe  has  been  intensely  focused  on  get¬ 
ting  users  updated  to  the  latest,  most  secure 
versions  of  its  products. 

“We've  been  putting  a  lot  of  incremen¬ 
tal  improvements  into  Reader,  but  adoption 
wasn't  as  high  as  we  needed  it  to  be,”  he  says. 
“In  April  2010  we  turned  on  our  auto-updater, 
and  that's  increased  deployment  significantly. 
In  June  2011  we  changed  the  default  setting 
from  semi-auto  to  silent  auto.  Users  need  the 
update,  but  if  asked  they  won’t  want  to  be 
bothered.  So  the  goal  was  to  make  it  so  they 
wouldn’t  have  to  be  bothered.” 

In  February,  Adobe  shipped  the  background 
updater  for  the  Windows-based  Flash  Player 
and  this  summer  it  did  the  same  for  the  Mac 
version. 

Looking  at  the  big  picture,  Arkin  says:  "Edu¬ 
cated  watchers  know  security  has  been  a  huge 
focus  for  us.  In  2009-2010  we  saw  a  lot  of  at¬ 
tacks.  We  studied  the  bad  guys’  techniques  and 
made  changes  to  Reader  8  and  9  as  a  result. 
We’ve  gotten  hundreds  of  millions  updated  to 
version  10  since  its  release.  We  were  making 
improvements  to  older  versions,  which  helped, 
but  it  was  a  real  cat-and-mouse  game.  On  ver¬ 
sion  10  we  have  our  version  of  sandboxing. 

“The  bad  guys  attacked  Flash  a  lot  in  2010- 
2011.  The  security  update  response  time  for 
Flash  is  now  an  average  of  5  days.  We  are 
adapting  the  Reader  auto-update  strategy 
to  Flash  player,  but  it’s  a  little  more  difficult 
because  of  the  different  ways  Flash  communi¬ 
cates  with  the  different  browsers.  We  can't  do 
this  just  once  like  we  could  with  Reader.” 

-B.B. 


FLASHBACK:  Most  Users  Run  Older, 

Insecure  Versions  of  Adobe  Reader 

ADOBE  SENIOR  DIRECTOR  OF  SECURITY  BRAD  ARKIN’S  EXPLANATION 
of  why  users  need  automatic  security  updates  reminded  us  of  a  story  from  last  year 
about  people  sticking  with  older,  more  vulnerable  software.  Here’s  a  snippet: 

“Most  users  of  Adobe’s  hugely  popular  PDF  Reader  are  content  to  use  out-of- 
date  and  potentially  insecure  versions  of  the  program,  an  analysis  by  antivirus 
company  Avast  Software  has  revealed. 

“The  company  found  that  only  40  percent  of  users  had  installed 
the  patched  Reader  X  version  of  the  application,  an  important  re¬ 
lease  that  made  its  first  appearance  in  November  2010.  A  further 
35  percent  were  using  different  increments  of  Reader  9, 14  percent 
Reader  8, 6  percent  Reader  7,  and  2  percent  Reader  6,  which  dates 
back  to  July  2003.  Versions  3, 4  and  5  combined  for  3  percent,  which 
those  computers  are  running  software  that  was  released  in  the  late  1990s. 

“‘There  is  a  basic  assumption  that  people  will  automatically  update  or  migrate 
to  the  newer  version  of  any  program,’  says  Avast  CTO  Ondrej  Vlcek.  ‘At  least  with 
Adobe  Reader,  this  assumption  is  wrong-and  it’s  exposing  users  to  a  wide  range  of 
potential  threats.’” 


14  www.csoonline.com  SEPTEMBER  2012 


ADVERTORIAL 


An  Enhanced  View  of 
Enterprise  Resilience 


Market  a 


ARE  YOU  CONFIDENT  IN  YOUR  BUSINESS  CONTINUITY  STRATEGY 
AND  PLANNING?  SUCCESSFUL  ORGANIZATIONS,  ACCORDING  TO 
CSO  RESEARCH,  EMPLOY  TWO  LEADING  PRACTICES. 


If  you  question  your  organization's  ability  to  identify 
enterprise  risk  or  respond  .quickly  to  a  disruption  or  a 
disaster,  you're  not  alone.  In  recent  research  conducted 
by  CSO  magazine,1  just  over  half  of  the  respondents 
to  a  survey  reported  success  in  identifying  risk  within 
individual  areas  of  the  business.  Some  44  percent  said 
they  lacked  confidence  in  their  ability  to  respond  quickly 
to  disruptive  events. 

These  findings  highlight  a  weakness  in  many  organiza¬ 
tions'  business  continuity  and  disaster  recovery  (BC/DR) 
strategy,  planning  and  execution.  It's  serious  business: 
failure  to  achieve  enterprise  resilience  might  cause 
unnecessary  risks  to  an  organization's  operations,  repu¬ 
tation,  revenue  and  financial  valuation. 

What  do  organizations  that  are  successful  with  BC/ 

DR  have  in  common?  The  research  shows  that  their  BC/ 
DR  planning  and  processes  are  integrated  with  enterprise 
risk  management,  and  they  have  deployed  a  dedicated 
technology  solution  for  automating  business  continuity 
across  the  enterprise. 

Unlike  a  siloed  approach  to  BC/DR  and  risk  manage¬ 
ment,  a  coordinated  approach  may  pinpoint  the 
business-critical  processes  IT  should  support  as  well 
as  threats  to  the  business  beyond  IT  system  downtime. 
Integrating  enterprise  risk  management  with  business 
continuity  makes  it  possible  to  put  more  energy  into 
strategic  decisions  that  may  proactively  eliminate  single 
points  of  failure,  concentration  risk  and  other  threats. 

On  the  technology  front,  an  enterprise-wide,  dedi¬ 
cated  technology  solution  for  BC/DR  and  enterprise  risk 
management  may  facilitate  a  sustainable,  automated 
program,  which  is  essential  for  effective  crisis  manage¬ 
ment,  emergency  response,  business  continuity  and 
disaster  recovery,  it  is  also  helpful  in  creating  common 
process  definitions,  a  common  view  of  assets  to  be 
protected  and  their  business  context,  and  a  common 
data  repository  for  all  stakeholders.  By  delivering 
enhanced  capabilities  for  collaboration,  process  automa¬ 
tion,  mobility,  centralized  data  and  advanced  analytics, 
the  right  software  platform  may  help  organizations  weave 
resilience  into  the  fabric  of  enterprise  risk  management. 


In  evaluating  potential  solutions,  business  and  IT 
leaders  should  consider  integration  of  software  modules 
for  BC/DR  planning  with  enterprise  risk  management, 
both  working  from  a  common  data  set.  Centralized 
management  helps  ensure  a  consistent  approach  to 
crises,  emergency  response,  BC  and  DR.  The  ability  to 
perform  business  impact  analyses  should  assist  in  setting 
response  priorities.  Flexible  testing  functionality  may 
lead  to  continual  improvement  of  BC  plans  and  recovery 
processes,  and  real-time  crisis  management  may  benefit 
from  the  integration  of  outside  data  sources. 

Through  the  use  of  automation,  a  common  data  set 
for  risk  management  and  BC/DR,  and  other  benefits  of 
a  centralized  technology  solution,  leading  organizations 
may  react  more  effectively  and  efficiently  to  disruptions. 
As  a  result,  they  are  more  resilient  and  better  able  to 
manage  risks  that  arise  from  any  quarter. 


To  learn  more  about  the  research  results  and  for  a 
full  copy  of  the  white  paper  "Cultivating  Consistency 
for  Improved  Enterprise  Resilience,"  co-sponsored  by 
Deloitte  and  RSA,  please  visit  www.csoonline.com/ 
whitepapers/rsadeloitte. 


1  CSO  Market  Pulse:  Business  Continuity  Strategy/Plans.  Conducted 
on  behalf  of  RSA  and  Deloitte  by  IDG  Research  Services,  May  2012. 

This  document  contains  general  information  only,  and  Deloitte  is  not,  by  means 
of  this  document,  rendering  accounting,  business,  financial,  investment,  legal, 
tax,  or  other  professional  advice  or  services.  This  document  is  not  a  substitute 
for  such  professional  advice  or  services,  nor  should  it  be  used  as  a  basis  for  any 
decision  or  action  that  may  affect  your  business.  Before  making  any  decision  or 
taking  any  action  that  may  affect  your  business,  you  should  consult  a  qualified 
professional  advisor. 

Deloitte,  its  affiliates,  and  related  entities  shall  not  be  responsible  for  any  loss 
sustained  by  any  person  who  relies  on  this  document. 

As  used  in  this  document,  "Deloitte"  means  Deloitte  &  Touche  LLP,  a  subsidiary  of 
Deloitte  LLP.  Please  see  www.deloitte.com/us/about  for  a  detailed  description  of 
the  legal  structure  of  Deloitte  LLP  and  its  subsidiaries.  Certain  services  may  not  be 
available  to  attest  clients  under  the  rules  and  regulations  of  public  accounting. 

Copyright  ©  2012  Deloitte  Development  LLC.  All  rights  reserved. 

Member  of  Deloitte  Touche  Tohmatsu  Limited 

RSA,  Archer  and  EMC  are  either  registered  trademarks  or  trademarks  of  EMC 
Corporation  in  the  United  States  and/or  other  countries.  All  other  company  and 
product  names  may  be  trademarks  of  their  respective  owners. 


CSO  ItisZN  Deloitte.  \ 

Custom  Solutions  Group 


Android  Malware  Relays  Infected  Devices’ 
Location  Information  to  a  Remote  Server 


WHAT  THE  MALWARE  CREATORS  INTEND  TO  DO 
with  the  privacy-invading  information  is  not  clear.  The  app 
operates  in  the  background  and  appears  on  the  smartphone  or 
tablet  as  an  icon  labeled  “store.” 

The  icon  is  apparently  meant  to  fool  the  user  into  thinking 
that  it  is  only  an  e-commerce  app,  according  to  BitDefender 
Labs.  Instead,  the  malware  broadcasts  the  device’s  latitude  and 
longitude  and  the  name  of  the  wireless  carrier  it’s  on.  The  soft¬ 
ware  also  attempts  to  enable  the  device’s  Wi-Fi  and  scan  for 
antivirus-available  access  points.  All  the  data  is  transmitted  to 
a  remote  server  via  the  de¬ 
vice’s  Internet  connection. 

BitDefender  wrote  in  a 
blog  post  that  it  specu¬ 
lates  “that  infected  devices 
act  as  beacons,  providing 
attackers  with  a  relative 
positioning  of  certain  Wi-Fi 
networks  and  the  frequen¬ 
cy  [with]  which  infected 
devices  connect  or  interact 
with  them.” 

The  lightweight  spyware 
has  no  user  interface  and 
transmits  location  informa¬ 
tion  every  couple  of  sec¬ 
onds.  Because  the  malware 
runs  so  effectively  in  the 
background,  BitDefender 
believes  it  will  eventually  be 
bundled  with  other  apps. 

The  amount  of  mobile 
malware  is  soaring-last 
year  Juniper  Networks  de¬ 
tected  155  percent  more 
than  in  2010.  The  first  quarter  of  this  year  saw  twice  as  much 
spyware  as  the  same  time  last  year,  and  30  percent  more  of  all 
types  of  mobile  malware.  Most  of  it  is  targeted  at  Android,  the 
leading  smartphone  operating  system. 

While  this  rise  is  troubling,  there  are  still  relatively  few  in¬ 
fected  mobile  devices  compared  to  infected  PCs.  "While  we 
probably  haven’t  seen  a  widespread  malware  epidemic  in  terms 
of  the  Android  platform,  there  have  been  some  that  haven’t 


been  detected,”  says  Christian  Kane,  a  Forrester  Research 
analyst. 

As  a  result,  companies  are  looking  for  technology  to  manage 
applications  and  corporate  data  on  employees’  devices.  The 
mobile  security  market  was  worth  $675  million  worldwide  last 
year  and  is  projected  to  top  $1  billion  this  year,  according  to  IDC. 
By  2015,  the  market  is  expected  to  reach  $1.85  billion,  a  com¬ 
pound  annual  growth  rate  of  more  than  35  percent. 

Symantec,  hoping  to  grab  a  slice  of  the  pie,  announced  its 
first  enterprise-grade  antivirus  software  for  Android  devices. 

Called  Mobile  Security 
for  Android,  the  software 
checks  suspicious  apps 
against  Symantec’s  black¬ 
list  of  known  malware. 

When  a  bad  app  is  discov¬ 
ered,  the  program  can  notify 
the  device  user  and  a  corpo¬ 
rate  security  team  through  a 
mobile  device  management 
console. 

Symantec  is  moving  to¬ 
ward  an  all-in-one  platform 
for  securing  and  manag¬ 
ing  applications,  data  and 
devices,  Kane  says.  The 
company  is  looking  to  build 
tools  “for  firms  that  are  not 
looking  for  one-off  solu¬ 
tions,  but  would  really  like 
a  single  console,  something 
that  would  integrate  and 
work  together.” 

“Mobile  management 
overall  has  been  evolving 
quickly,  but  in  general  the  technology  is  pretty  immature,"  he 
says.  “We  have  a  ways  to  go  in  terms  of  bringing  full  capabilities 
that  an  enterprise  would  need  to  properly  manage  and  control 
their  apps,  data  and  devices."  Kane  says  that  to  be  enterprise- 
ready,  mobile  management  tools  must  improve  their  applica¬ 
tion  and  data  controls  and  offer  secure  methods  for  sharing  and 
collaborating  on  documents  with  mobile  devices. 

—Antone  Gonsalves 


16  www.csoonline.com  September  2012 


Want  to  be 
in  the  know 
about  the 
latest 
security 
topics  and 
trends? 


Become  a  CSO 


You’ll  gain  exclusive  access  to  premium 

content  and  resources,  including: 

■  What  to  buy.  In-depth  reviews  of  security 
and  IT  solutions 

■  Executive  and  Peer  Interviews  and  Insights. 
Deep  dives  with  the  industry’s  top  thinkers 

■  Practical  tips.  How-to  articles  for  security 
and  IT  professionals 

■  Exclusive  research  &  analysis.  Incisive  reports, 
case  studies,  and  more 

■  How  to  get  ahead.  Career  advice  from  industry 
experts  and  peers 

■  Invitations  to  select  events.  Get  the  inside  edge 


To  register  for  Insider  exclusive  content  visit: 

www.csoonline.com/insiders/index 


METRICS 


GOVERNANCE 


COMPLIANCE 


ALL-HAZARDS 


7  Risk  Management  Mistakes 

Faulty  statistical  methods  and  other  common  errors  that  can  trip  up  your  program  by  george  v.  hulme 


EXECUTIVES  KNOW  THEY  FACE 
risks,  but  they  often  don’t  know  which  risks 
are  real,  or  what  that  exposure  means  to  their 
business.  The  aim  of  security  risk  manage¬ 
ment  is  to  remove  the  guesswork  and  help 
the  business  make  smarter  decisions.  As  Jay 
Jacobs,  vice  president  of  the  Society  of  Infor¬ 
mation  Risk  Analysts  (SIRA),  says,  “Security 
risk  management  is  simply  a  decision-support 
system  for  the  business.  It  should  exist  to  in¬ 
form  the  decisions  of  the  business." 

Unfortunately,  many  experts  believe  that 
most  companies  aren't  quite  there  yet  and 
that  their  efforts,  while  well-meaning,  fall 
short  and  may  even  incorporate  bad  habits 
that  can  increase  an  organization’s  risk. 

Jeff  Lowder,  president  of  SIRA,  says,  “There 
is  a  mistaken  perception  that  expertise  in 
security  equals  expertise  in  risk  management. 
In  fact,  we  see  many  experts  in  security  who 
also  claim  to  be  experts  in  risk  management. 
They’re  often  not.  These  are  two  separate  dis¬ 
ciplines  and,  ideally,  someone  is  knowledge¬ 
able  about  both  if  they’re  performing  security 
risk  management.” 

To  get  a  better  understanding  of  where 
many  enterprises  go  wrong,  CSO  asked  a 
handful  of  experts  what  they  commonly  see 
enterprises  do  wrong  in  security  risk  manage¬ 
ment.  “In  many  organizations,  based  on  what 
we’ve  seen,  it  could  actually  be  better  if  the 
organization  chose  to  make  decisions  based 
on  coin  flips  rather  than  their  internal  security 
risk  management  frameworks.  At  least  when 
you  flip  a  coin,  you  have  a  50  percent  chance 
of  getting  it  right,”  says  Jacobs. 

Here  are  the  most  common  mistakes  and 


i  'f'r- 


misconceptions  made  in  well-intentioned  risk 
management  efforts: 

1  Starting  from  scratch.  Many  security 
professionals  will  attempt  to  reinvent 
the  discipline  of  security  risk  manage¬ 
ment.  Fortunately,  there  are  well-established 
methods  for  risk-analysis  tasks,  such  as  how 
to  solicit  an  expert  opinion  and  how  to  rep¬ 
resent  uncertainty  in  risk  models.  However, 
as  Jacobs  and  Lowder  explain,  most  people 
remain  unaware  of  the  research  about  how 
to  do  this  correctly,  and  end  up  re-creating 
not  only  the  same  models  but  also  the  same 
shortcomings  that  basic  approaches  suffer 
from.  “The  most  prominent  model  is  to  pick 
some  ‘risk’  factors  that  seem  important,  as¬ 
sign  some  ordinal  score,  and  then  perform 
basic  arithmetic  on  these  or  place  them  on 
a  matrix  that  has  been  shown  to  produce 
poorly,"  says  Jacobs.  The  only  saving  grace  for 
organizations  that  rely  on  these  homegrown 


frameworks  is  that  experienced  decision  mak¬ 
ers  often  distrust  the  results  these  basic  ap¬ 
proaches  produce,  Jacobs  says. 

2  Replicating  the  audit  depart¬ 
ment.  One  way  security  risk  man¬ 
agement  programs  set  themselves 
up  for  failure,  says  Alex  Hutton,  director  of  op¬ 
erations  risk  and  governance  at  a  large  finan¬ 
cial  services  firm  and  faculty  member  at  IANS, 
is  to  copy  the  functions  of  the  audit  depart¬ 
ment.  “While  there  are  similarities  between 
the  two,  the  roles  are  dramatically  different,” 
says  Hutton.  The  audit  team  should  be  con¬ 
cerned  about  where  failures  can  occur  through 
breakdowns  in  security  controls,  whereas  risk 
management  should  be  concerned  with  the 
potential  frequency  and  impact  of  IT  risks. 

And  where  audit’s  role  is  to  help  the  company 
understand  how  to  implement  controls,  risk 
management's  role  is  to  determine  how  to  get 
the  most  out  of  investments  in  security  con- 


18  www.csoonline.com  SEPTEMBER  2012 


IStockphoto 


See  usatASIS 
Booth  #1 708 


1  ‘ 


'  i'%  , ^ 

,  v^safc 


*  *'  *-  *  -  •  >  -  ■  -v-;  •  * 


v7?t®^Hb 


«*  '***■  '  <  *,  '7*  ,;  1*  * 

i^^s^rK!. *m.t  :  i|r 

#*  j£?.  -"■*»  .v  v  Op 

A  Tsl  ■" 


£\**.  f  m 

-*jl  -*  -a®, 

W  is*  ‘ 

^•■'  .  Ogjbv 


r 


m 


-  Safe  <??P 

/  .  .4  i  '  r.  p 

.  v  ,<yr  '■’ 

>-. .  f-  *  #  . 

Copyright  ©  201'2  ASSA  ABtOY  Inc.  All  rights  reserved. 


From  patented  key  systems  to  full-featured,  online  integrated  locksets,  ASSA  ABLOY  offers  access 
control  solutions  tailored  to  the  unique  locking  needs  of  each  opening.  With  the  industry's  largest 
range  of  products,  from  the  most  trusted  brands,  your  security  dollars  reach  farther  into  your  facility. 

Contact  your  ASSA  ABLOY  Integrated  Solutions  Specialist  for  a  consultation  on  your  next  project. 

Visit  usatASIS  Booth  #1708  orwww.intelligentopenings.com/SecurityContinuum 


□  Available  on  the  iPad 

App  Store 

Download  Our  App 
Want  help  finding  the  right 
solution  for  any  opening ?  Scan 
this  Microsoft ®  Tag  with  your 
iPad ®  or  visit  the  App  Store 
to  download  the  Security 
Continuum  App  for  iPad. 


ASSA  ABLOY 


ADAMS  RITE  |  CORBIN  RUSSWIN  |  HES  |  MEDECO  |  NORTON  |  SARGENT  |  SECURITRON  |  YALE 


The  global  leader  in 
door  opening  solutions 


Access  control 
isn't  one  size  fits 
all  either. 


Aysg 


Risk 


trols  and  related  processes.  “Most  organiza¬ 
tions  whose  risk  management  programs  end 
up  failing  do  so  because  they  end  up  merely 
enforcing  policy  rather  than  consulting  to 
the  organization  about  what  controls  do  and 
don’t  make  sense,"  says  Hutton. 

“Audit  doesn’t  necessarily  concern  itself 
with  threat  and  audit  doesn’t  necessarily  care 
about  reporting  an  aggregate  picture  of  risk, 
based  on  the  entire  outlook  of  threats,  assets, 
controls  and  impact,”  says  Hutton.  “Security 
risk  management  does.” 

Conflating  precision  with  ac¬ 
curacy.  Many  security  profession¬ 
als  are  uncomfortable  reducing 
IT  security  risks  and  vulnerabilities  to  simple 
numbers.  “You’ll  hear  people  say  that  there 
aren't  any  relevant  actuarial  tables,  or  there 
aren’t  enough  data  regarding  events  to  create 
a  number  that  will  provide  value,” 
says  Lowder.  “They’ve  confused 
being  able  to  give  a  precise  nu¬ 
merical  estimate  versus  being 
able  to  give  a  highly  accurate  nu¬ 
merical  range.” 

To  provide  actionable  informa¬ 
tion,  security  risk  management 
practitioners  don’t  have  to  give  numbers  that 
predict  the  exact  likelihood  of  a  good  or  bad 
outcome.  “Numbers  only  need  to  be  as  precise 
as  is  necessary  to  make  an  educated  decision,” 
says  Lowder.  “You  can  create  a  solid  argu¬ 
ment  when  you  show  that  the  probability  of 
something  happening  is  between  60  and  90 
percent,”  he  says. 

Emphasizing  risk,  not  expo¬ 
sure.  Hutton  says  many  organiza¬ 
tions,  when  evaluating  the  risks 
they  face,  focus  too  heavily  on  listing  and 
ranking  all  the  things  that  could  go  wrong, 
which  is  called  a  risk  register.  “The  problem 
with  creating  a  risk  register  is  that  people 
never  know  quite  when  to  stop.  They’ll  keep 
piling  on  risks,  even  the  most  obscure,  from 
cyber  attackers  with  every  conceivable  moti¬ 
vation  to  the  possibility  of  a  jet  engine  falling 
through  the  roof  of  the  data  center,”  he  says. 

“Very  esoteric  risks  are  things  that  make  it 
into  risk  registers.  But  they're  often  very  low- 
probability  events  that  could  cost  a  bajillion 


dollars  to  mitigate,”  he  says.  Hutton  advises 
organizations  to  create  an  exposure  register, 
which  is  more  likely  to  reflect  real-world  risks 
and  helps  organizations  mitigate  the  most 
probable  and  threatening  risks  first. 

Using  undefined  risk  concepts. 
One  of  the  most  common  ways 
that  practitioners  rank  threats  and 
vulnerabilities  is  on  a  simple  scale-low,  me¬ 
dium  or  high.  Unfortunately,  that  may  be  ask¬ 
ing  for  trouble.  After  all,  what  do  low,  medium 
and  high  actually  mean?  “They  actually  are 
quantitative,  without  the  appearance  of  being 
quantitative,”  says  Lowder.  “When  you  ask 
people  to  define  high,  medium  and  low  when 
applied  to  probability  or  frequency  of  events, 
nobody  seems  to  be  able  to  agree  on  what 
the  terms  actually  mean.  The  result  is  you 
have  this  illusion  of  communication.  That’s 


more  dangerous  than  trying  to  add  some  pre¬ 
cision  to  an  argument,”  Lowder  says. 

For  instance,  when  told  an  event's  likeli¬ 
hood  is  low,  some  executives  will  think  that 
means  there’s  a  10  percent  chance  of  it  hap¬ 
pening,  while  others  will  think  it’s  33  percent. 
“You  don’t  want  to  use  numbers  for  the  sake 
of  numbers,  but  whenever  possible,  you  want 
to  define  things  numerically  so  that  you  know 
you  are  clearly  communicating,"  says  Lowder. 
Not  having  a  risk  intelligence 
program.  “This  mistake  is  a  big 
one,"  says  Hutton.  “If  IT  secu¬ 
rity  risk  can  be  broken  down  to  four  sets  of 
information-threats,  controls,  assets  and 
impact-then  any  change  to  any  one  of  those 
conditions  would  have  an  impact  on  the  risk 
posture  of  an  organization,”  he  says.  Unfor¬ 
tunately,  current  risk  management  standards 
spend  little  time  describing  how  to  put  in 
place  a  risk  intelligence  program  or  the  impor¬ 
tance  of  that  function.  Nor  do  they  explain 
what  makes  a  valid  source  of  intelligence 


or  how  to  deal  with  new  information  that 
changes  an  organization’s  risk  posture. 

Implementing  an  intelligence  function  is 
more  straightforward  than  companies  might 
think,  says  Hutton.  They  just  need  to  monitor 
for  changes  that  could  affect  their  risk.  “For 
instance,  you  may  want  to  monitor  the  organi¬ 
zation  for  changes,  such  as  if  the  intrusion  de¬ 
tection/prevention  expert  leaves  the  company 
and  there’s  no  one  to  fill  the  knowledge  gap. 
That  would  increase  risk,  just  as  would  the 
discovery  of  new  OSX  malware  if  an  organiza¬ 
tion  has  a  decent  population  of  systems  run¬ 
ning  that  OS,”  says  Hutton.  And  if  you’re  not 
looking  for  these  types  of  changes,  you’re  not 
managing  risk  properly,  many  experts  say. 

Multiplying  ordinals.  “This  is  a 
key  mistake  to  avoid,”  says  Lowder. 
For  instance,  imagine  a  regatta  in 


which  boat  A  came  in  first,  boat  B  second,  and 
boat  C  third.  Using  only  this  information,  it’s 
impossible  to  calculate  the  average  time  for 
the  three  boats  to  finish  the  race:  all  we  know 
is  that  boat  A  was  faster  than  both  boats 
B  and  C.  “You  can  now  see  the  fatal  flaw  in 
multiplying  ordinal  values  or  trying  to  calcu¬ 
late  the  average  of  a  set  of  ordinal  values  on 
an  ordinal  scale,  such  as  first,  second,  third, 
or  high,  medium,  low,”  says  Lowder.  Ordinal 
scales  simply  define  the  rank  or  order  of  the 
values:  they  say  nothing  about  the  quantities 
represented  by  those  values.  “This  is  why  the 
mean  of  a  set  of  ordinal  values  is  undefined. 
For  the  same  reason,  it  is  meaningless  to  cal¬ 
culate  the  mean  for  risk  management  factors 
defined  as  high,  medium,  low,”  Lowder  says. 

Risk  management  is  difficult,  but  doing 
it  wrong  may  be  worse  than  doing  nothing 
at  all.  “You  will  be  making  decisions  on  bad 
inputs,  bad  processes  and  bad  calculations. 
That’s  a  formula  for  making  a  bad  situation 
worse,”  says  Jacobs. 


“Very  esoteric  risks  are  things  that  make  it  into  risk 
registers.  But  they’re  often  very  low  probability 
events  that  could  cost  a  bajillion  dollars  to  mitigate.” 

-ALEX  HUTTON 


20  www.csoonline.com  SEPTEMBER  2012 


Drilling  for  Disaster 

How  would  a  major  earthquake  affect  airport  operations?  by  bob  violino 


LOS  ANGELES  WORLD  AIRPORTS  (LAWA),  THE  DE- 
partment  that  oversees  three  airports  in  the  LA  area,  recently  im¬ 
plemented  a  business  continuity  and  disaster  recovery  plan  for  the 
Los  Angeles  International  Airport  (LAX).  As  part  of  the  effort,  the 
organization  conducted  a  tabletop  exercise  on  what  would  happen 
if  an  earthquake  struck  LAX. 

CSO  contributor  Bob  Violino  interviewed  Dominic  Nessi,  deputy 
executive  director  and  CIO  of  LAWA,  about  these  efforts. 

CSO:  What  was  involved  in  implementing  a  business  con¬ 
tinuity  and  disaster  recovery  plan  for  LAX,  and  did  this  re¬ 
place  an  existing  plan? 

Nessi:  When  I  arrived  at  LAX  in  2007,  it  was  apparent  that  we 
needed  to  drastically  upgrade  our  approach  to  business  continuity 
and  disaster  recovery  planning.  My  first  step  was  to  bring  on  an  ex¬ 
perienced  CISO,  Bob  Cheong,  who  would  be  the  program  manager 
for  our  efforts.  We  also  hired  an  experienced  and  skilled  cybersecu¬ 
rity  team. 

The  initial  step  in  the 
planning  was  a  business  im¬ 
pact  analysis  (BIA).  The  key 
component  of  the  BIA  was  to 
develop  the  Recovery  Time 
Objective  (RTO)  and  the  Re¬ 
covery  Point  Objective  (RPO) 
of  each  business  process.  RTO 
is  the  time  in  which  a  busi¬ 
ness  process  must  be  restored 
after  a  disaster  and  RPO  is 
the  maximum  time  that  data 
might  be  lost  from  an  IT  ser¬ 
vice  outage.  The  purpose  of 
this  analysis  is  to  understand  the  impacts  a  disruptive  event  may 
have  on  our  organization.  The  BIA  forms  the  business  case  for  a 
business  continuity  program. 

The  second  step  was  to  develop  13  business  continuity  plans,  the 
IT  disaster  recovery  plan,  and  the  IT  incident  response  plan.  The  two 
major  components  of  the  business  continuity  plan  are  the  manual 
workaround  procedures  and  the  roles  and  responsibilities  of  each 
participant  in  the  recovery  process.  Each  business  unit  was  required 
to  submit  a  manual  workaround  procedure  for  each  of  their  business 
processes.  This  is  required  to  continue  business  operations  when 
IT  systems  are  unavailable.  This  was  the  most  detailed  task  of  the 
project,  as  it  required  many  interactions  with  stakeholders  to  ensure 


the  accuracy  of  information.  Bob  and  his  team  managed  this  pro¬ 
cess,  working  intimately  with  the  LAX  business  community. 

Who  took  part  in  the  tabletop  exercise  and  what  was 
learned  and  accomplished  from  that?  We  used  the  following 
scenario  for  the  tabletop  exercise:  At  approximately  9:30  a.m.  Pa¬ 
cific  Daylight  Time,  an  earthquake  began  in  the  Pacific  Ocean  about 
30  miles  southwest  of  Malibu,  [Calif.]  at  a  magnitude  of  6.7  on  the 
Richter  scale.  The  epicenter  of  this  quake  was  53  miles  from  the 
Civic  Center  and  had  a  significant  effect  on  the  area  around  LAX. 
The  buildings  sustained  moderate  to  severe  structural  damage. 

The  participants  in  the  exercise  represented  the  LAX  department 
managers  and  selected  staff  for  which  business  continuity  and 
disaster  recovery  plans  had  been  established.  Participants  were 
gathered  in  a  single  room  and  asked  to  address  recovery  solutions 
based  on  the  information  in  their  plan.  They  were  able  to  question 
other  departments  to  determine  if  there  was  available  support  for 

any  dependencies. 

During  the  exercise  we  identi¬ 
fied  the  roles  and  responsibili¬ 
ties  of  each  team,  established 
communication  flow  to  exchange 
dependencies  information,  and 
discovered  missing  or  incorrect 
recovery  information. 

What  were  some  of  the 
challenges  you  encountered, 
and  how  did  you  address 
them?  One  of  the  challenges  the 
LAX  cybersecurity  team  encoun¬ 
tered  during  the  exercise  was  to 
make  sure  the  participants  were 
kept  on  track  in  responding  to  the  situation  and  that  there  was  an 
open  dialogue  that  flowed  between  groups.  Because  this  was  a 
new  experience  for  LAX,  there  was  ample  opportunity  for  deviating 
from  the  script.  What  we  found  was  that  the  LAX  business  commu¬ 
nity  responded  enthusiastically  to  the  exercise,  providing  insightful 
information  to  the  security  team. 

Are  you  planning  other  tabletop  exercises,  and  if  so  what 
will  they  involve?  As  LAX  is  currently  going  through  many  chang¬ 
es  in  enhancing  its  business  environment,  we  will  have  to  conduct 
tabletop  exercises  on  a  regular  basis  to  reflect  major  business 
process  changes.  These  exercises  will  validate  the  effectiveness  of 
each  updated  plan  and  address  any  gaps  that  were  uncovered. 


The  Tom  Bradley  International  Terminal  at  LAX 


September  2012  www.csoonline.com  21 


LEADERSHIP 


STRATEGY 


MANAGEMENT 


SKILLS 


CAREER 


Mind  the  (Generation)  Gap 

New  research  finds  disparate  attitudes  about  security  among 
the  various  generations  in  the  workforce  by  joan  goodchild 


LOOKING  OUT  AMONG  THE  EMPLOY- 
ees  in  your  organization,  you  probably  know 
there  are  certain  people  who  understand 
security  better  than  others.  I’m  talking  about 
the  employees  you  expect  to  be  less  likely  to 
fall  for  a  phishing  scam,  who  are  using  some¬ 
thing  other  than  “password"  to  secure  their 
devices  and  generally  tailor  their  behavior  to 
comply  with  security  more  effectively. 

Have  you  found  those  em¬ 
ployees  who  are  more  secure  to 
be  the  younger  folks  among  your 
ranks?  Or  is  it  the  older  ones  who 
may  not  be  as  comfortable  with 
technology,  but  who  are  more 
willing  to  take  the  necessary  pre¬ 
cautions  to  avoid  problems? 

Perhaps  as  a  security  manager, 
you’ve  seen  firsthand  that  gener¬ 
ational  differences  also  translate 
into  varying  approaches  to  tech¬ 
nology  and  security.  If  so,  new 
data  from  security  firm  Zone- 
Alarm  backs  you  up,  and  finds 
older  users  are  actually  more  se¬ 
cure  than  their  younger  peers. 

The  company  conducted  a 
Web  survey  on  the  topic  of  per¬ 
sonal  computer  security,  to  which 
1,245  people  from  the  United 
States,  Canada,  the  United  King¬ 
dom,  Germany  and  Australia 
responded.  Among  the  findings: 

Only  31  percent  of  those  aged 
18-25  ranked  security  as  the  most 


important  consideration  when  making  deci¬ 
sions  about  their  computers,  compared  to  58 
percent  of  Baby  Boomers  (those  over  age  45). 

The  survey  results  reveal  that  this  young¬ 
est  bracket  of  respondents  is  also  more  likely 
to  prioritize  entertainment  and  community 
over  security.  Compared  to  Baby  Boomers, 
the  youngest  participants  were  18  percent 
more  likely  to  say  entertainment  was  their  top 


gg- 


i*  'Y'l 


Wm 


V/a 


im 


1 


Wf&SL-UrA  . 


priority  and  14  percent  more  likely  to  say  com¬ 
munity  was  most  important  to  them. 

About  36  percent  of  Baby  Boomers  are 
“very  concerned”  about  security  and  privacy, 
compared  to  only  20  percent  of  the  youngest 
respondents.  And  the  survey  indicates  young 
people  may  be  overconfident  in  their  security 
knowledge,  as  63  percent  of  them  claim  to  be 
knowledgeable  about  security,  compared  to 
59  percent  of  Baby  Boom¬ 
ers.  Yet  50  percent  of  young 
respondents  have  had  security 
issues  in  the  past  two  years, 
compared  to  only  42  percent 
of  Baby  Boomers. 

The  security  thought- 
leaders  I  spoke  to  about  this 
issue  say  that  findings  are  not 
too  surprising  because  older 
generations  take  a  more  con¬ 
servative  approach  to  many 
aspects  of  security,  privacy 
and  risk.  Eric  Milam,  a  senior 
security  assessor  for  Accuvant 
Labs  who  has  an  expertise 
in  social  engineering  and 
penetration  testing,  says  he 
thought  Boomers  were  more 
likely  to  follow  rules  and  com¬ 
ply  with  security  policy  based 
on  their  background. 

“A  lot  of  younger  kids  will 
do  what  they  want  to  do, 
whereas  Boomers  may  be 
more  motivated  and  dedi- 


22  www.csoonline.com  SEPTEMBER  2012 


Thinkstock 


September  30  -  October  4,  2012 
Moscone  Center,  San  Francisco 


REGISTER  NOW 

Save  $200  by  Sept.  28th 


2,000  Sessions  450  Exhibitors  400  Demos 


1m 
•  « 


Register  at  oracle.com/openworld 


W  •?  •&.  £ 

• ‘4  •  # 


Global  Sponsor  Marquee  Sponsor 


Diamond  Sponsors 


|  Premier  Sponsor  |  Grande  Sponsors 


.  1 1 1 . 1 1 1 . 

CISCO.  Cognizant 


EMcf  Infosys*  rintei) 


FUJITSU 


accenture  ARROW 

High  performance.  Delivered.  f  VI  M  \— I  W  U 


Deloitte. 


. . .  ■  ’ 

xckMUff  ul.m.i  CISCO 


Grande  Sponsors  continued... 


TATA 

CONSULTANCY 

SERVICES 


■  ■  niNETsuiTE  -■ 

NetApp  piVC 


HITACHI 

Inspire  the  Next 


J)  Tech  Data 


y  Allan 


WIPRO 

Apptytf'f  Thought 


Copyright  ©  2012,  Oracle  and/or  its  affiliates.  All  rights  reserved.  Oracle  and  Java  are  registered  trademarks  of  Oracle  and/or  its  affiliates.  Other  names  may  be  trademarks  of  their  respective  owners 


Lead 


cated  to  work  ethics.  They  come  from  a  gen¬ 
eration  used  to  sticking  with  company  for  30 
years  and  might  not  want  to  rock  the  boat.” 

Mark  Lobel,  a  principal  with  Pricewater- 
houseCoopers  and  the  company’s  global 
subject  matter  expert  on  security  benchmark¬ 
ing,  discussed  new  information  from  PwC  that 
aimed  to  gauge  consumer  views  on  privacy 
and  the  sharing  of  personal  information.  PwC 
found  that  78  percent  of  younger  people  aged 
18-29  are  willing  to  share  personal  information 
in  exchange  for  discounts  on  things  like  movie 
tickets  and  dining  out,  compared  with  just  68 
percent  of  older  consumers  aged  45-59. 

“The  older  generation  we  know,  statisti¬ 
cally,  is  just  more  conservative  when  it  comes 
to  their  information-and  what  information 
they  will  give  up  and  trade  for  the  benefits 
that  giving  up  information  could  give  them,” 
says  Lobel. 

What  does  this  mean  for  how  you,  as  a 
security  manager,  when  it  comes  to  helping 

“A  lot  of  younger  kids 
will  do  what  they 
want  to  do,  whereas 
Boomers  may  be 
more  motivated 
and  dedicated  to 
work  ethics.” 

-ERIC  MILAM,  SENIOR  SECURITY 
ASSESSOR,  ACCUVANT  LABS 

your  employees  understand  security?  Should 
your  strategies  differ  based  on  the  age  of  the 
employee?  Both  experts  say  that  ultimately  it 
comes  down  to  the  level  of  threat  rather  than 
age.  In  a  social  engineering  trap,  for  example, 
age  probably  won’t  matter  if  the  ruse  is  tricky 
enough. 

“I  don’t  care  the  age  of  the  receiver,  if  I  tar¬ 
get  my  message,  I've  got  relatively  good  odds 
of  fooling  anybody,"  says  Lobel. 

Milam  agreed. 

“With  the  right  message,  anyone  can  be 
duped.” 


Think  Differently 

Steve  Jobs’  ability  to  eschew  tradition  not  only  made  him  a  great 
leader,  but  also  made  Apple  products  secure  by  edward  ferrara 


STEVE  JOBS,  BY  WALTER  ISAAC- 
son,  is  a  readable  and  honest  portrayal 
of  one  of  the  most  influential  person¬ 
alities  in  the  computer  industry.  Often 
caustic  and  abrupt,  Steve  Jobs  was  a 
man  of  extreme  brilliance  who  could 
intuitively  understand  what  makes  a 
great  product.  His  marketing  and  design 
shrewdness  were  without  peer.  Jobs 
had  his  share  of  failures  and  more  than 
his  share  of  successes.  The 
Apple  II,  Macintosh,  iMac, 
iPod,  iPhone  and  iPad  all 
reflect  his  ability  to  guide 
the  creation  of  truly  inno¬ 
vative  products. 

A  subtext  of  the  book 
is  Jobs’  awareness  of  the 
value  of  intellectual  prop¬ 
erty.  Jobs  showed  concern 
for  the  security  of  Apple’s 
intellectual  property  and 
went  to  great  lengths  to 
ensure  that  it  was  safe. 

For  example,  he  imposed 
strong  controls  on  the  de¬ 
sign  area  where  the  Apple 
design  team  works: 

“The  design  studio  where  Jony  Ive 
reigns,  on  the  ground  floor  of  Two 
Infinite  Loop  on  the  Apple  campus, 
is  shielded  by  tinted  windows  and  a 
heavy  clad,  locked  door.  Just  inside  is  a 
glass-booth  reception  desk  where  two 
assistants  guard  access.  Even  high-level 
Apple  employees  are  not  allowed  in 
without  special  permission"  (Page  345). 

However,  the  contribution  Jobs  made 
to  information  security  was  an  indirect 
one.  He  recognized  that  the  true  value 
of  Apple’s  products  is  in  the  design,  not 
in  the  physical  assets  themselves. 

For  too  long,  the  information  secu¬ 
rity  industry  has  looked  at  information 


as  homogenous  and  assumed  that  all 
hacking  is  created  equal  because  all 
information  is  created  equal.  This  could 
not  be  further  from  the  truth.  What 
Jobs  realized  was  that  information  has 
a  true  monetary  value,  which  could  be 
guaged  by  the  market  value  of  the  prod¬ 
uct  or  service  that  information  would 
become.  Apple  manufactures  very  little: 
it’s  a  design  and  marketing  firm.  Apple’s 
huge  market  capitaliza¬ 
tion  comes  from  the  new 
economy  of  ideas. 

This  should  be  a  sign  to 
all  of  us.  Not  all  informa¬ 
tion  has  the  same  value, 
and  so  not  all  information 
needs  the  same  safe¬ 
guards.  The  way  we  think 
about  information  protec¬ 
tion  needs  to  change. 

The  lesson  in  Steve  Jobs 
is  that  we  as  security  pro¬ 
fessionals  need  to  look  at 
problems  differently.  The 
way  we  protected  the  en¬ 
terprise  in  the  last  decade 
cannot  be  the  way  we  protect  it  in  the 
next. 

I  am  not  sure  either  Jobs  or  Isaacson 
would  have  thought  there  was  a  lesson 
here  for  security  professionals,  but  it’s 
there  nonetheless.  Ideas  expressed  as 
digital  information  are  the  new  prod¬ 
ucts.  They  are  worth  infinitely  more 
than  any  hardware  or  software  system 
that  tracks,  manipulates  or  manages 
that  information. 

Our  focus  should  not  be  on  protecting 
networks  or  infrastructure,  it  should  be 
on  protecting  the  intellectual  property 
that  travels  in  these  systems. 

Ed  Ferrara  is  a  Principle  Analyst  at 
Forrester. 


Stove  Jobs  by  Walter  Isaacson 


‘The  people  who  are  crazy 
enough  to  think  they  can 
change  the  world  are  the 
ones  who  do.” 

—Apple’s  “ Think  Different" 
commercial,  1997 


24  www.csoonline.com  SEPTEMBER  2012 


CSO’s  e-Mail  Newsletters 


Keep  Up  To  Speed 

On  the  Security  Issues  Important  to  You 
Delivered  right  to  your  desktop 

|Vj  CSO  Update 

A  look  at  the  latest  security  news  and  analysis  on 
CSOonline.com,  delivered  twice  a  week. 

[7|  CSO  Salted  Hash 

IT  security  news  and  analysis,  over  easy,  delivered  daily. 

|Vj  CSO  News  Watch 

A  recap  of  the  week’s  top  news  stories. 

|Vj  CSO  Career 

A  twice-monthly  newsletter  of  career  and  leadership- 
oriented  news,  articles  and  events  plus  job  postings. 

[VI  CSO  Tech  Watch 

Twice-monthly  update  on  technologies  for  protecting  networks,  facilities, 
employees,  intellectual  property  and  more. 

[7|  CSO  Security  Leader 

Monthly  leadership-related  articles  and  reports  from  CSO,  as  well  as  tips 
for  educating  employees  and  corporate  leadership. 

[Vj  CSO  Continuity  &  Recovery 

A  twice-monthly  review  of  published  material  concerning 
business  continuity  and  disaster  recovery. 

[7|  Security  Research  &  Metrics 

A  monthly  roundup  of  useful  security  research,  benchmarks  and  statistics. 

Sign  up  now  for  CSO’s 
complimentary  e-mail  newsletters 
www.CSOonline.com/newsletters 


BUSINESS  RISK  LEADERSHIP 


■  Lead 


Michael  Santarcangelo, 

michael@securitycatalyst.com,  Twitter:  @catalyst 


Fixing  Things  by  Breaking  Rules 

When,  why  and  how  you  should  let  someone  ignore  your  policies 

BY  MICHAEL  SANTARCANGELO 


“DADDY,  CAN  I  STAY  UP 
late  tonight?" 

Normally  my  answer  is  a  quick 
“no”  and  reminder  of  the  rules. 
But  one  night,  I  asked  my  son 
how  late  he  wanted  to  stay  up. 

“I  want  to  stay  up  all  night 
long!”  was  the  enthusiastic  reply. 

My  first  thought  was  how  tired 
I  was,  and  how  I  really  didn't 
want  to  stay  up  late.  And  then, 
for  a  second,  I  remembered  what 
it  was  like  to  be  a  kid  who  wanted 
the  experience  of  staying  up  late 
to  feel  special.  So  I  said  yes. 

As  a  grin  consumed  his  face, 

I  explained  the  conditions  of 
breaking  the  rules:  He  had  to  be 
quiet,  and  no  complaining  the 
next  day  when  he  was  tired. 

He  agreed,  I  went  to  bed,  and 
he  stayed  up  long  past  when  I 


expected,  finally  crashing  around 
3  in  the  morning.  He  got  up  with 
the  rest  of  us,  and  even  though 
he  was  tired,  he  didn’t  complain. 

It  was  good  for  both  of  us,  and 
I  learned  that  allowing  him  to 
break  the  bedtime  rule  actually 
improved  his  future  compliance 
with  it.  Instead  of  arguing,  his 
experience  of  staying  up  all  night 
and  his  subsequent  exhaustion 
helped  him  understand  why  we 
had  the  rule  in  the  first  place. 

The  lessons  I  learned  let¬ 
ting  my  son  break  the  rules  hold 
true  for  security,  too.  Here's  why 
sometimes  breaking  a  rule  leads 
to  better  compliance: 

1.  It  lets  people  practice  au¬ 
tonomy,  on  the  condition  that 
they  live  with  the  consequences. 
This  makes  them  feel  recognized 


and  respected. 

2.  It  creates  a  unique  context 
in  which  to  discuss  the  reason  for 
the  rule.  Generally  this  leads  to  a 
better  understanding  of  the  rule; 
sometimes,  it  creates  a  better 
understanding  of  why  the  rule 
needs  to  change. 

3.  It  improves  bonds.  People 
who  know  the  consequences  of 
their  actions  get  along  better 
with  those  who  make  the  rules. 

As  a  parent,  my  responsibility 
is  to  teach  my  children  right  from 
wrong.  But  in  security,  we're  not 
the  parents  and  our  job  is  a  bit 
more  nuanced.  Letting  someone 
break  a  rule  might  help  build  a 
bond  that  improves  compliance. 

To  make  this  work  in  a  busi¬ 
ness  setting: 

■  Select  the  right  rule  to  break: 


Find  something  that  won't 
cause  damage  but  gives  peo¬ 
ple  the  experience  necessary 
to  understand  the  outcome. 

■  Make  it  a  special  event  (not  a 
routine):  Let  them  know  that 
they  get  to  break  a  rule  be¬ 
cause  they  are  respected,  but 
that  it  comes  with  conditions. 

■  Engage  in  a  conversation,  not 
a  lecture:  Learn  from  their  ex¬ 
perience  and  use  it  to  reach  a 
common  understanding  of  the 
purpose  of  the  rule. 

For  example,  a  global  organi¬ 
zation  recently  implemented  Web 
filtering.  Anticipating  backlash,  it 
instituted  a  policy  that  allowed 
anyone  to  request  a  blanket  ex¬ 
emption  for  up  to  five  days. 

Surprisingly,  just  the  existence 
of  the  policy-the  potential  to 
break  the  rule-increased  com¬ 
pliance.  Few  people  made  tem¬ 
porary  requests,  and  even  fewer 
sought  permanent  exemptions. 

It  gets  better:  The  most  com¬ 
mon  reason  for  wanting  an  ex¬ 
emption  was  to  reach  popular 
sites  like  Google,  Linkedln  and 
Facebook.  Those  requests  got  a 
personal  response  explaining  that 
those  sites  weren’t  blocked  and 
giving  some  reasons  (spyware, 
virus,  misconfiguration)  that  the 
attempt  might  have  failed. 

This  generally  led  to  a  brief, 
engaging  conversation  about  the 
problem  and  guidance  on  how  to 
fix  it.  As  a  result,  a  problem  was 
solved,  and  people  learned  the 
value  of  the  system  and  withdrew 
their  requests  for  exemptions. 

Letting  someone  break  the 
rules,  or  just  offering  them  the 
chance  to  do  so,  is  a  simple  way 
to  increase  understanding  of  the 
purpose  of  the  rule  in  the  first 
place.  With  better  understanding 
comes  better  compliance. 


26  www.csoonline.com  SEPTEMBER  2012 


iStockphoto 


THE  EMPLOYEE  SECURITY  AWARENESS  NEWSLETTER  FROM  THE  EDITORS  AT  CSO 


Security  Smart  is  a  quarterly  security  awareness  newsletter  ready 
for  distribution  to  your  employees — saving  you  precious  time  on 
employee  education!  The  compelling  content  combines  personal 
and  organization  safety  tips  so  is  applicable  to  many  facets 
of  employees'  lives.  And  the  easy  to  read  design  has  multiple 
entry  points  so  you  are  assured  that  your  intended  audience  of 
employees — your  organization's  most  valuable  assets — will  read 
and  retain  the  information. 


fl/Ty 


& 


GlJAR, 


5  a  Safer?" 

*VlYv 


'/ACy 


Subscribe  today! 


l0"ldn 


'too U2  Waxedh 

a,r°uble.  eabu tal etr. 


at 


>KAUD 


at 


To  view  a  sample  issue  of  the  newsletter,  learn  about  the 
delivery  options  and  to  subscribe  visit: 

www.SecuritySmartNewsletter.com 


mm-  m 


O/o 

Th< 


*0(J 


•IV? 


&ng^°st 

r***  O’* 

sSsS** 


‘■Afo 


3  c°rnpi°n  c 


For  more  information  please  visit 

www.SecuritySmart.com 

Security  Smart  is  published  by  CSO,  a  business  unit  of  CXO  Media.  ©  2012  CXO  Media  Inc. 


BUSINESS  RISK  LEADERSHIP 


Cover  Story 


The  ' 
Decade 

ol  t  lie - 

CSO 


SECURITY  AS  A  PROFESSION 

has  come  a  long  way  in  the  last  decade. 
This  is  not  just  noteworthy,  it’s  also 
worth  celebrating. 

So  on  the  10th  anniversary  of  CSO’ s 
launch,  let’s  raise  our  glasses  and  toast 
the  Decade  of  the  CSO.  Security  lead¬ 
ership  existed  before  us,  and  it  will 
continue  after,  but  this  has  been  a  mag¬ 
nificent  decade  to  have  front-row  seats 
to  watch  security  mature  and  fight  for 
its  place. 

Risk  management  is  more  important 
to  more  corporate  leaders  today  than 
it  was  ten  years  ago.  Security  leaders 
deserve  a  lot  of  credit  for  this  as  they 
have  become  better  and  better  at  artic¬ 
ulating  the  business  case  for  security, 
as  we’ll  discuss  in  our  annual  State  of 
the  CSO  survey  results  in  the  following 
article. 


But  the  other  reason  for  the  rise  of 
risk  management  is  that  the  security 
environment  has  been  changing.  Bill 
Boni  describes  the  evolution  of  secu¬ 
rity  this  way:  “I  think  that  [elevated] 
status  has  been  achieved  in  part  by  the 
hard  work  of  practitioners,  but  in  equal 
measure  by  the  bad  works  of  the  threat 
actors.”  Boni  was  on  the  cover  of  the 
first  issue  of  CSO,  in  his  role  as  CISO 
at  Motorola.  Today  he  is  vice  president 
of  information  security  at  T-Mobile. 
Fraud  and  theft  and  corruption  were 
around  then — just  as  they  are  around 
today,  just  as  they  were  in  ancient 
times — but  cybercrime  in  particular 
has  been  turned  into  a  business  over 
the  past  decade.  Smarter,  more  orga¬ 
nized  threats  require  smarter,  more 
organized  defenses. 

So  what  about  the  decade  to  come? 


The  professionalization  of  security 
threats  will  surely  continue,  so  security 
must  follow  suit.  Or,  ideally,  get  ahead. 
This  will  require  still  more  hard  work 
and  evolution  on  the  part  of  security 
leaders  like  yourself.  But  it  also  requires 
more  changes  in  the  environment. 
That’s  going  to  be  the  hard  part — but 
more  on  that  in  a  moment. 

For  your  personal  evolution,  consid¬ 
er  a  few  observations  from  David  Kent, 
vice  president  of  security  at  Genzyme 
(now  owned  by  Sanofi  North  America). 

First,  Kent  notes,  it’s  all  about  the 
data.  “If  you  look  at  what  Google  is 
doing,  what  government  agencies  are 
doing,  it’s  the  data  that  is  driving  the 
business,”  he  says. 

“Security  is  part  of  the  [data  collec¬ 
tion]  sensor  net.  You  have  to  collect 
data  from  every  angle  to  give  the  busi- 


28  www.csoonline.com  SEPTEMBER  2012 


AUoIaild* 

Interview  with  White  House 
Security  Evangelists  Richjrd 
ClJrhe  end  Howard 


:tfrfvEs 


How  to  Blend  Physical  and 
tnto  Security 

Brometncs  SltH,dktt  Toward 
UwMiUnutii-am  > 


Because  success  depends  on  playing  well 
with  other  key  executives,  learn  how  (arid  with 
whom)  to  talk  turkey  in  The  CSO's  Guide  to 
Strategic  Shmoozing 


Then  and  now:  Bill  Boni,  on  the  cover 
of  CSO’s  first  issue  (right),  and  today  as 
VP  of  information  security  at  T-Mobile. 

ness  or  entity  competitive  advantage. 

“Grabbing  data  and  using  it  as  a  way 
to  forecast  some  activity  that  would  be 
beneficial  to  the  business — it’s  going 
to  be  common,  there  is  tremendous 
value,  and  security  needs  to  be  part  of 
the  story.” 

Second,  Kent  says  that  you  still  have 
to  differentiate  yourself  by  delivering 
something  greater  than  what  the  board 
expects  from  their  security  department . 


“Otherwise,  you  become  a  com¬ 
modity,”  says  Kent.  “It  doesn’t  matter 
whether  you’re  a  guard  force  manager 
or  the  GRC  [governance,  risk  and  com¬ 
pliance]  guy— if  you  don’t  distinguish 


yourself,  you’ll  be  a  have-not .”  Kent  says 
each  person  needs  the  drive  “to  force 
your  way  through  organizational  ob¬ 
stacles”  to  achieve  this  differentiation. 

Excelling  in  enterprise  risk  manage¬ 
ment  (ERM)  is  one  way  to  outperform 
the  norm.  The  primary  benefit  to  the 
company  of  strong  ERM  practices, 
says  Kent,  is  “the  identification  and 
assessment  of  risks  across  profes¬ 
sional  disciplines,  so  that  when  you  do 
offer  your  view  of  the  probability  and 
impact,  it’s  done  with  this  very  broad 
perspective. 

“So  by  extension,  the  solutions  that 
are  going  to  come  to  the  front  are  going 
to  carry  that  broad  thought  with  them 
and  inherently  be  more  efficient,”  he 
says.  For  the  solution  or  behavior  or 
decision,  you’ll  have  incorporated  all 
those  views  in  a  very  time-efficient 
way,  and  gained  the  knowledge  capital 
that  comes  from  repeating  that  process 
over  time.” 

Kent’s  third  point  has  to  do  with 
changing  the  environment  in  a  posi¬ 
tive  way. 

There  is  a  puzzling  data  point  in  the 
State  of  the  CSO  survey:  In  the 
ten  years  that  CSO  has  conducted 
the  survey,  the  percentage  of  re¬ 
spondents  who  hold  an  MBA  has 
remained  almost  exactly  the  same 
each  year — around  15  percent — re¬ 
gardless  of  fluctuations  in  average 
company  size  or  other  variables. 

Asked  to  comment  on  this,  Kent 
speculates  that  this  is  a  function  of 
demand.  Companies  hiring  CSOs 
don’t  expect  business  education. 
Universities  don’t  incorporate  op¬ 
erational  risk  management  into 
their  business  curricula,  nor  do  they 
build  business  fundamentals  into 
security-related  educational  tracks. 

Think  of  how  things  will  change 
for  the  better  if  this  situation  remedied 
in  the  next  ten  years. 


■  Contact  Editor  in  Chief  Derek  Slater  at 
dslater@cxo.com. 


September  2012  www.csoonline.com  29 


Cover  Story 


THE  SAYING  GOES  that 
in  every  crisis,  there  is  an  op¬ 
portunity.  Compliance  re¬ 
quirements,  data  and  privacy 
demands,  and  the  threat  land¬ 
scape  are  constantly  evolving, 
forcing  companies  to  realize 
the  importance  of  security  and 
invest  accordingly  As  security 
concerns  expand,  so  does  the 
role  of  the  security  leader. 

Our  annual  State  of  the  CSO  sur¬ 
vey  finds  a  continuation  of  a  two-part 
trend  that  we  have  been  tracking  for 
many  years:  First,  there  is  more  aware¬ 
ness  of  security  and  risk  among  com¬ 
panies,  and  second,  in  response,  many 
organizations  are  using  more  formal 
enterprise  risk  management  (ERM) 
programs.  These  policies,  processes, 
methods,  metrics  and  measurements 
help  shape  the  strategic  decisions  for 


The  2012  State  of  the  CSO 
survey  shows  progress  toward 
a  deeper  level  of  business 
understanding  and  a  wider 
knowledge  of  risk  management 

By  Joan  Goodchild 

their  organization.  The  goal  is  to  make 
security  strategy  both  targeted  and  ho¬ 
listic,  proactive  and  defensive. 

The  survey  gathered  responses  from 
228  security  professionals  in  a  broad 
range  of  industries.  Among  those 
polled,  66  percent  say  their  organiza¬ 
tion’s  leadership  (that  is,  the  CEO  and 
board  of  directors)  placed  more  value 
on  risk  management  in  the  past  year. 


30  www.csoonline.com  SEPTEMBER  2012 


David  Plunkert 


Cover  Story 


#  Most  organizations  said  their  organization  placed  more  value  on 


1. 

Recognizing  Risk  Management’s  Value 


In  the  past  12  months,  has  your  organization’s  leadership  placed 
more,  less  or  the  same  amount  of  value  on  risk  management? 


■  more  value  Bless  value  H  no  change 


Does  your  organization  use  a  formal  enterprise  risk 
management  process  or  methodology  that  incorporates 
multiple  types  of  risk  (in  other  words,  not  just 
information-security  risk  or  physical-security  risk)? 

2010  2011  2012 


risk  management  this  year  (again).  However,  while  recognition  of 
risk  management’s  importance  is  growing  overall,  adoption  of  for¬ 
mal  enterprise  risk  management  (ERM)  programs  is  holding  steady. 


ABOUT  THE  SURVEY  AND  RESPONDENTS:  The  State  of  the  CSO  Survey  was 
administered  online  to  a  qualified  sample  of  CSO' s  audience.  Findings  are  based  on  the 
responses  of  228  security  professionals.  Respondents  represent  a  wide  variety  of  indus¬ 
tries,  with  the  largest  percentage  of  respondents  working  in  (in  descending  order):  finan¬ 
cial  services,  government  and  nonprofits,  manufacturing,  high  tech,  telecom  and  utilities, 
and  healthcare.  Respondents  reported  involvement  in  numerous  security-related  activi¬ 
ties,  including  information  security,  privacy,  fraud  prevention,  investigations,  audit,  per¬ 
sonnel  security,  and  more.  Some  results  may  not  add  up  to  100  percent  due  to  rounding. 


That’s  a  solid  number,  even  higher  than 
the  6l  percent  result  in  2011. 

And  with  that  perceived  value  comes 
corresponding  support,  in  the  form  of 
money  and  staff.  Thirty-two  percent  of  re¬ 
spondents  expect  to  add  to  their  full-time 
security  headcount,  and  45  percent  expect 
their  organization’s  overall  security  bud¬ 
get  to  increase  in  the  coming  year.  Another 
42  percent  think  their  budget  will  stay  the 
same;  just  11  percent  expect  it  to  decrease. 
(Two  percent  were  not  sure.) 

While  the  budget  is  growing,  the  preva¬ 
lence  of  formal  ERM  programs  is  holding 
steady.  The  survey  found  that  56  percent 
of  those  polled  say  their  organization  now 
uses  a  formal  ERM  process  or  methodolo¬ 
gy  that  incorporates  multiple  types  of  risk 
and  that  goes  beyond  just  physical  and  IT 
security.  That’s  consistent  with  our  find¬ 
ings  in  the  past  two  years. 

The  State  of  the  CSO  results  demon¬ 
strating  the  maturation  of  the  security 
leader  role  are  mirrored  in  IT-specific 
research  from  Wisegate,  a  professional 
network  for  security  executives  to  share 
information.  Wisegate  found  that  the 
CISO’s  role  is  shifting  from  “a  glorified  IT 
security  administrator,  babysitting  fire¬ 
walls  and  cleaning  malware  from  infected 
systems,  to  holistic  risk  management— 
from  firefighting  security  breaches  to  an¬ 
ticipating  fires  before  they  start.” 

According  to  a  recent  Wisegate  member 
poll,  close  to  100  percent  of  participants 
say  they  have  combined  information  secu¬ 
rity  and  risk  management  responsibilities . 
Growing  compliance  requirements  and 
the  general  threat  landscape  were  cited  as 
the  two  primary  drivers  of  their  increasing 
risk  management  responsibilities. 

Philip  Agcaoili,  CISO  with  Cox  Commu¬ 
nications,  the  third-largest  cable  operator 
in  the  United  States,  has  been  a  security 
executive  for  over  a  decade.  A  self-pro- 
claimed  “joiner,”  he  says  he  has  been  net¬ 
working  with  others  in  security  since  he 
became  Verisign’s  first  CSO  in  1998,  and 
he  has  since  held  several  CSO  positions. 
He  has  seen  these  changes  coming  for 
years,  he  says. 


32  iviviv.csoonfine.com  September  2012 


“I  think  gravity  took  its  course,”  says  Ag- 
caoili.  “At  the  end  of  the  day,  no  security  or¬ 
ganization  I’ve  been  a  part  of  has  ever  had 
infinite  resources.  Risk  management  was  a 
way  to  ingest  findings  or  issues,  determine 
the  risk  to  the  company,  and  articulate  to 
the  business  what  the  risks  were.  And  it 
helped  us  prioritize  with  the  business  with 
what  needed  to  get  done.” 

Formal  ERM  programs  have  begun  to 
show  up  in  many  organizations .  Obviously, 
the  components  of  these  programs  vary 
from  place  to  place,  industry  to  industry. 
But  they  all  have  at  least  one  thing  in  com¬ 
mon:  They  seek  to  ensure  the  success  of 
the  organization  through  “sound,  proac¬ 
tive  thinking  and  strategy  relative  to  risk,” 
according  to  David  Sherry,  CISO  of  Brown 
University. 

“By  identifying  and  quantifying  the 
probability  and  impact  of  security  events, 
the  security  mission  is  supported  by  lan¬ 
guage  that  the  board  can  understand, 
without  relying  on  fear,  uncertainty  and 
doubt,”  Sherry  says. 

Dennis  Treece,  director  of  corporate 
security  for  Massport — the  public  author¬ 
ity  that  oversees  airports,  seaports  and 
many  transportation  services  in  Massa¬ 
chusetts — works  with  many  departments 
and  staff  within  his  organization.  Leading 
security  for  one  of  the  most  scrutinized 
transportation  hubs  in  the  world  demands 
a  risk  strategy  that  encompasses  both 
physical  and  digital  security. 

“To  me,  ERM  implies  an  all-hazards  ap¬ 
proach  that  takes  into  account  everything 
from  utilities  infrastructure  failure  to  bad 
weather,  to  pandemics,  to  accidents,  to 
building  things  on  the  cheap  and  poor 
maintenance,  to  terrorism,”  says  Treece. 
“Also,  to  me,  ERM  is  collaboration  among 
all  the  people  who  understand  the  risk 
components  the  organization  faces  and 
who  are  involved  in  the  risk  process,  ac¬ 
cept  risk,  or  reduce  it  or  transfer  it — or  any 
combination  of  those  things.” 

Consequently,  Treece’s  team  comprises 
a  diverse  set  of  individuals. 

“The  insurance  broker  here  is  on  my 
team,  the  internal  auditors  are  on  my 


■ 


§§ 


2. 

Who’s  Involved  in  ERM? 

Who  is  responsible  for  directing  strategy 
for  the  enterprise  risk  management  process? 


22% 


Chief  Risk  Officer 

17% 


cso 

CFO 


17% 


The  top  disciplines,  departments  or  groups  involved  in  ERM: 


91% 


Information  security 


86% 


Executive  management 

84% 

Business  continuity  and  disaster  recovery 


78% 


Financial  risk  and  insurance 


74% 


Physical  and  corporate  security 


69% 


General  counsel  and  legal 
Human  resources 


66% 


40% 


Loss  prevention 

31% 

Sales  and  marketing 

HHHH  28% 

Supply  chain 

13% 

Other 


September  2012  www.csoonline.com  33 


Cover  Story 


3. 

Security  Budgets,  Personnel,  Duties 

Compared  to  the  past  12  months,  how  will 
your  overall  security  budget  change? 


2% 


Increase  No  Change  Decrease  Not  Sure 

♦  Although  a  significant  percentage  of  respondents  expect 
security  funding  to  increase,  the  majority  expect  budgets 
will  hold  steady  or  shrink,  meaning  it’s  still  a  challenge 
for  many  respondents  to  get  money  for  security. 

Will  your  organization’s  full-time  security  staff  increase, 
decrease  or  stay  the  same  in  the  next  12  months? 


60% 


50% 


2011  2012 

■  Increase  81  No  Change  ■  Decrease  ■  Not  Sure 

Are  you  the  top  security  executive 
at  your  company  or  business  unit? 


*  A  new  question  this 
year.  The  majority  of 
respondents  said  they 
manage  a  security  pro¬ 
gram  that  focuses  on 
either  IT  or  physical 
security.  However,  one- 
fifth  of  those  polled  said 
their  duties  include  both 
physical  and  IT  security. 


corporate  security 


team,  two  legal  counsel,  police  and  rescue, 
the  operations  and  facilities  staff,”  Treece 
noted.  “We  cannot  exist  today  without 
them  because  security  is  so  technology- 
driven  and  -dependent.” 

But  working  with  per  s  onnel  from  various 
departments  is  not  without  its  challenges, 
both  for  the  CSO  and  for  the  professionals 
who  come  from  backgrounds  not  typically 
associated  with  security. 

Dave  Notch,  who  was  until  recently  the 
CISO  with  business-data  provider  Thom¬ 
son  Reuters,  says  he  saw  the  difficulties 
that  can  result  when  bringing  in  employ¬ 
ees  from  other  disciplines  and  trying  to 
make  them  all  part  of  one  security  and  risk 
team.  His  experience  tells  him  that  a  one- 
size-fits-all  approach  cannot  work  in  many 
industries. 

“One  of  the  most  direct  examples  was 
when  we  had  discussions  about  integrat¬ 
ing  physical  and  IT  security,  which,  ulti¬ 
mately,  we  never  did,”  recalled  Notch,  who 
was  responsible  for  managing  the  corpo¬ 
rate  programs  for  information  security, 
business  continuity,  disaster  recovery  and 
technology-related  audit  and  compliance 
activities .  “But ,  I  think  regardless  of  which 
department  they  are  coming  from,  it’s  dif¬ 
ficult  to  find  people  that  can  cross  those 
boundaries  and  talk  about  all  areas  of  risk 
intelligently.” 

Brown’s  Sherry  says  sometimes  the 
challenge  is  making  headway  in  a  culture 
that  doesn’t  always  understand  the  issues 
around  risk.  Sherry,  who  has  been  in  IT 
management  for  20  years,  first  became 
interested  in  security  during  the  Y2K 
scare  over  a  decade  ago.  In  his  four  years 
with  Brown,  he  has  seen  his  role  become 
much  broader  and  more  focused  on  risk 
management  and  compliance,  and  it  now 
includes  areas  such  as  “records  manage¬ 
ment,  copyright  law,  all  kinds  of  things 
they  throw  at  me,”  he  says. 

But  while  the  university  increasingly 
puts  value  on  security  and  risk  manage¬ 
ment,  Sherry  still  finds  it  tough  at  times 
to  make  the  case  for  investment. 

“The  challenge  in  higher  ed  is  creating 
relevance  for  the  security  mission  and  the 


34  www.csoonline.com  SEPTEMBER  2012 


privacy  and  compliance  mission,”  says 
Sherry.  “It’s  making  sure  the  university 
understands  the  implications  of  not  fol¬ 
lowing  best  practices  and  regulatory 
mandates.” 

As  Sherry’s  experience  shows,  selling 
security  has  always  been  difficult.  So  one 
of  the  goals  of  ERM  programs  is  to  give  se¬ 
curity  managers  a  quantifiable  set  of  met¬ 
rics  that  help  clarify  the  case  for  investing. 

“As  I  have  defined  it  and  as  I  implement 
it  here,  I  have  a  risk  chart  that  lists  our  top 
20  risk  cases  in  order  of  significance  to 
the  organization,”  says  Treece.  “I  use  this 
to  then  determine  what  gaps  we  have  be¬ 
tween  this  list  and  efforts  to  address  those 
risk  cases.  Where  we  need  to  do  more,  I  use 
[the  chart  ]  to  influence  the  budget  process, 
to  reduce  or  transfer  the  risks  we  find  to  be 
unacceptable.” 

In  order  to  succeed  in  ERM-driven  en¬ 
vironments,  CSOs  and  CISOs  agree  that 
security  managers  need  to  bone  up  on 
business  skills— nothing  surprising  there. 
Communicating  with  the  executive  man¬ 
agement  team  (which  is  engaged  in  86 
percent  of  respondents’  ERM  programs) 
takes  a  new  level  of  business  understand¬ 
ing  among  security  pros. 

“In  the  last  decade,  it’s  been  helpful 
to  have  a  business  discussion  using  risk 
terms.  And  business  leaders  have  gravi¬ 
tated  toward  it,”  says  Agcaoili.  “In  securi¬ 
ty,  there  is  always  a  new  problem,  and  risk 
management  has  allowed  me  to  identify 
risk  based  on  issues  or  findings,  develop 
what  the  risks  are,  and  then  prioritize  and 
work  with  the  business  to  actually  invest 
in  that.” 

“I  work  with  a  lot  of  other  CSOs  from 
banks,  from  universities,  from  all  over,” 
says  Treece.  “We  are  all  different;  we 
have  different  cultures  and  budgets.  But 
we  all  have  the  same  basic  requirements 
to  secure  the  business  defensively  in  an 
affordable  way.  In  order  for  that  to  hap¬ 
pen,  security  people  today  need  to  learn 
to  speak  business.” 


■  Contact  Senior  Editor  Joan  Goodchild  at 
jgoodchild@cxo.  com . 


Business  Methods  and  Calculations 

Which  of  the  following  methods  and  calculations  do 
you  apply  in  the  security  budgeting  process? 


2010 

2011 

2012 

34% 

38% 

47% 

32% 

34% 

38% 

13% 

13% 

20% 

NA 

12% 

21% 

10% 

9% 

10% 

9% 

9% 

15% 

51% 

43% 

26% 

Return  on  investment 

Total  cost  of  ownership 

Annual  loss  expectancy 

Cost-based  accounting 

Net  present  value 

Economic  value  added 

No  formal  financial  methodology 


*  The  significant  decrease  in  the  number  of  respondents  using  no 
formal  financial  methodology  is  likely  a  reflection  of  the  increase  in 
the  percentage  of  the  respondent  pool  that  is  reporting  from  compa¬ 
nies  with  revenues  in  excess  of  $1  billion.  Still,  overall  figures  suggest 
adoption  of  formal  methodology  for  security  budgets  is  slowly  rising. 


5. 

What  to  Expect? 


Which  of  the  following  trends  will  have  the  most 
profound  effect  on  the  role  of  the  security  professional? 


a 

in 

Is 


■ 


10% 

_ _ k  None  of 

these 

11% 

Big  data 


14% 

)cial  media  and 
social  networkiri 


16% 

rization 
)f  desktop 
and  devices 


18% 

Technology 
as  a  service 


■ 


September  2012  www.csoonline.com  35 


Gray  Matters 

Estimated  annual  cost  of  various  kinds  of  wrongdoing 


$3.5 

$34.5 

$1 

$58 

$1 

trillion 

billion 

trillion 

billion 

trillion 

Global 

U.S.  shoplifting 

Global 

Theft  of  U.S. 

Global  cybercrime 

occupational 

and  retail  shrink 

corruption/ 

created  content 

(McAfee;  widely 

fraud 

(ACFE  Report  to 
the  Nations  2012) 

(National  Retail 
Security  Survey) 

bribery  payments 
(not  including 
embezzlement) 

(World  Bank 
Institute) 

(Institute  for 
Policy  Innovation 
and  the  MPAA; 
widely  disputed) 

disputed) 

36  www.C8o0nline.com  SEPTEMBER  2012 


APTs:  Why  Security 
Intelligence  is  Required 


Market  a 
Pulse  v 


HACKING  ATTACKS  ARE  ALWAYS  SCARY,  YET  A  RECENT  IDG  RESEARCH  SURVEY  OF 
CSOS  AND  OTHER  IT  LEADERS  PAINTS  AN  EVEN  SCARIER  PICTURE:  ADVANCE  PER¬ 
SISTENT  THREATS  (APTS)  ARE  ON  THE  RISE.  FORTUNATELY,  RESPONDENTS  ARE  WELL 
AWARE  OF  THE  DANGERS  ASSOCIATED  WITH  APTS  EVEN  THOUGH  FEW  HAVE  CONFI¬ 
DENCE  IN  THEIR  ABILITY  TO  SUCCESSFULLY  FIGHT  OFF  SOPHISTICATED  ATTACKS. 


According  to  survey  respondents/the  level  of  concern  regarding 
Advance  Persistent  Threats  (APTs)  is  high  with  93  percent  of 
survey  respondents  citing  familiarity.  Additionally,  nearly  three- 
quarters  of  the  respondents  are  either  certain  or  believe  it  is  likely 
that  their  organizations  have  fallen  victim  to  an  APT  attack. 

it's  the  persistent,  targeted  nature  and  multiple  avenues  of 
entry  involved  (phishing  emails,  web  hacking,  social  engineering, 
etc.)  that  make  APTs  dangerous,  explains  Phil  Neray,  head  of 
security  intelligence  strategy  with  IBM's  Security  Systems  Division. 
"People  are  starting  to  realize  that  the  traditional  approach  of 
relying  on  point  solutions  like  firewalls,  antivirus  and  perimeter 
defenses  is  no  longer  sufficient.  The  idea  that,  because  these  are 
in  place,  each  intrusion  event  will  somehow  provide  a  meaningful 
alert  to  prompt  action  is  also  a  fallacy,"  he  says. 

Fortunately,  leadership  is  taking  the  APT  threat  seriously  with 
63  percent  reporting  APTs  are  recognized  as  a  strategic  issue  by 
senior  management  at  their  organizations.  The  majority  of  orga¬ 
nizations  are  also  making  or  planning  to  make  strategy  changes 
specifically  to  address  this  type  of  threat. 

»  Addressing  Concerns 

Theft  of  corporate  IP,  such  as  strategic  plans,  new  product 
designs,  and  customer  data,  showed  up  as  the  key  concerns  for 
respondents.  In  addition,  more  than  40  percent  are  concerned 
that  attackers  will  compromise  or  disable  their  commercial 
websites. 

To  address  the  dangers  associated  with  APTs,  respondents 
are  deploying  or  planning  to  deploy  a  number  of  technologies  to 
combat  APTs,  including  network  traffic  monitoring  and  forensics, 
end  point  protection  platforms,  vulnerability  assessment  tech¬ 
nologies,  and  Security  Information  and  Event  Management  (SIEM). 
In  addition,  respondents  at  the  largest  companies  are  more  likely 
than  those  at  smaller  companies  to  indicate  they  have  already 
deployed  application  security  testing. 

"As  businesses  look  for  strategies  to  level  the  playing  field 


against  sophisticated  attackers,  they  need  to  move  away  from  the 
traditional  approach  of  deploying  the  latest  network  security  box 
to  block  intrusions.  It's  more  realistic  to  implement  continuous 
monitoring  across  your  entire  environment  combined  with  correla¬ 
tion  rules  and  behavioral  anomaly  detection  to  rapidly  identify 
unusual  activity,"  says  Neray. 

A  solid  strategy  should  include  collecting  network  flow  data, 
logs,  events  and  user  activity  information  from  different  parts  of 
your  environment  and  putting  them  into  a  scalable,  distributed 
repository  so  you  can  apply  Big  Data  analytics  and  indexed  search 
to  "find  the  needle  in  the  haystack." 

You  should  also  add  contextual  information  such  as  threat 
intelligence  feeds,  vulnerability  and  configuration  management 
information,  plus  1AM  data  about  users  and  roles,  to  quickly  priori¬ 
tize  alerts  and  focus  on  the  top  incidents  requiring  attention. 

"We  call  this  Security  Intelligence,"  he  says.  "It's  about 
instrumenting  your  environment  and  applying  advanced  security 
analytics  to  improve  your  IT  security  and  risk  posture."  ■ 


Key  concerns  regarding  the  risk  from  APTs: 
Attackers  will... 


Steal  customer  or  employee  data  such 
as  email  addresses,  credit  card 
and  social  security  number 

Steal  corporate  intellectual  property 
(IP)  such  as  strategic  plans,  new 
product  designs,  financial  data,  or 
proprietary  code  or  algorithms 

Bring  down  or  deface 
our  commercial  websites 


Source:  IDG  Research,  June  2012 


CSO  (Dl_abs 

Custom  Solutions  Group  —**»»- :■  **  «m  e 


For  more  information,  including  comprehensive  survey 
results,  view  the  white  paper  on  how  to  best  protect  your 
organization  at  www.csoonline.com/white-papers/Qllabs 


The  #1  Security  Platform 
for  Virtualization 
and  the  Cloud * 


*  *  -  »  •*,.*« 


Protect  your  VMware ®  environment  with  Trend  Micro. 

Only  Trend  Micro  delivers  end-to-end  security  from  virtual  datacenters  and  private 
clouds  out  to  public  and  hybrid  clouds.  As  the  best  agentless  security  platform  for 
VMware'“  environments,  Trend  Micro  lets  you  maximize  your  virtualization  ROI 
while  seamlessly  enabling  comprehensive  compliance.  It's  the  complete  package. 

For  more  information,  go  to:  trendmicro.com/completesecurity  Securing  Your  Journey  to  the  Cloud 


Q 


TREND 

MICRO 


4 Technavio  Insights  Report.  Global  Cloud  Security  Software  Market  2010-2014 

©  2012  Trend  Micro,  Inc.  All  rights  reserved.  Trend  Micro  and  the  t-ball  logo  are  trademarks  or  registered  trademarks  of  Trend  Micro,  Inc. 
©  2012  VMware,  Inc.  All  rights  reserved.  VMware  and  VMworld  are  registered  trademarks  of  VMware,  Inc. 


